Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASTOMCAT9-2023-005

Related Vulnerabilities: CVE-2021-43980   CVE-2022-42252  

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980) If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. (CVE-2022-42252)

Source

ALASTOMCAT9-2023-005

Amazon Linux 2 Security Advisory: ALASTOMCAT9-2023-005
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:57 Pacific
Severity: Important
Issue Overview:

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. (CVE-2021-43980)

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. (CVE-2022-42252)


Affected Packages:

tomcat


Issue Correction:
Run yum update tomcat to update your system.

New Packages:
noarch:
    tomcat-9.0.65-1.amzn2.0.2.noarch
    tomcat-admin-webapps-9.0.65-1.amzn2.0.2.noarch
    tomcat-docs-webapp-9.0.65-1.amzn2.0.2.noarch
    tomcat-jsvc-9.0.65-1.amzn2.0.2.noarch
    tomcat-jsp-2.3-api-9.0.65-1.amzn2.0.2.noarch
    tomcat-lib-9.0.65-1.amzn2.0.2.noarch
    tomcat-servlet-4.0-api-9.0.65-1.amzn2.0.2.noarch
    tomcat-el-3.0-api-9.0.65-1.amzn2.0.2.noarch
    tomcat-webapps-9.0.65-1.amzn2.0.2.noarch

src:
    tomcat-9.0.65-1.amzn2.0.2.src

Additional References

Red Hat: CVE-2021-43980, CVE-2022-42252

Mitre: CVE-2021-43980, CVE-2022-42252

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started