Debian Bug report logs -
#952437
tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#952437; Package tomcat9.
(Mon, 24 Feb 2020 13:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joost van Baal-Ilić <joostvb+debian-bugs@uvt.nl>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 24 Feb 2020 13:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: tomcat9
Version: 9.0.16-4
Severity: important
Hi,
tomcat9, as shipped with Debian buster/stable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published.
Specifically, Apache Tomcat 9.x < 9.0.31 is vulnerable. Upstream has published
9.0.31 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ).
Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .
See also:
https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)
Bye,
Joost
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#952437; Package tomcat9.
(Mon, 24 Feb 2020 13:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 24 Feb 2020 13:57:04 GMT) (full text, mbox, link).
Message #10 received at 952437@bugs.debian.org (full text, mbox, reply):
Le 24/02/2020 à 14:32, Joost van Baal-Ilić a écrit :
> Tomcat as shipped by Debian is likely not vulnerable from the network in the
> default configuration, since by default Tomcat AJP Connector only listens on
> localhost:8009, not on *:8009 .
I confirm the Tomcat packages shipped in Debian aren't vulnerable with
the default configuration, the AJP connector has been disabled by
default since 2008.
https://salsa.debian.org/java-team/tomcat9/blob/debian/9.0.16-4/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
https://salsa.debian.org/java-team/tomcat8/blob/debian/8.5.50-0+deb9u1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
https://salsa.debian.org/java-team/tomcat7/blob/debian/7.0.56-3+really7.0.91-1/debian/patches/0002-do-not-load-AJP13-connector-by-default.patch
Emmanuel Bourg
Marked as found in versions tomcat9/9.0.27-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 24 Feb 2020 15:33:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Feb 24 16:43:16 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon