Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2249
Security update for tomcat10
12 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat10
Publisher: SUSE
Operating System: SUSE
Resolution: Patch/Upgrade
CVE Names: CVE-2024-24549 CVE-2024-23672
Original Bulletin:
https://www.suse.com/support/update/announcement/2024/suse-su-20241204-1
Comment: CVSS (Max): 7.5 CVE-2024-24549 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVSS Source: SUSE
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security update for tomcat10
Announcement ID: SUSE-SU-2024:1204-1
Rating: important
o bsc#1221385
References: o bsc#1221386
o CVE-2024-23672
Cross-References: o CVE-2024-24549
o CVE-2024-23672 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H
CVSS scores: o CVE-2024-24549 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N
/S:U/C:N/I:N/A:H
o openSUSE Leap 15.5
Affected o SUSE Linux Enterprise High Performance Computing 15 SP5
Products: o SUSE Linux Enterprise Server 15 SP5
o SUSE Linux Enterprise Server for SAP Applications 15 SP5
o Web and Scripting Module 15-SP5
An update that solves two vulnerabilities can now be installed.
Description:
This update for tomcat10 fixes the following issues:
o CVE-2024-24549: Fixed denial of service during header validation for HTTP/2
stream (bsc#1221386)
o CVE-2024-23672: Fixed denial of service due to malicious WebSocket client
keeping connection open (bsc#1221385)
Other fixes: - Update to Tomcat 10.1.20 * Catalina + Fix: Minor performance
improvement for building filter chains. Based on ideas from #702 by Luke Miao.
(remm) + Fix: Align error handling for Writer and OutputStream. Ensure use of
either once the response has been recycled triggers a NullPointerException
provided that discardFacades is configured with the default value of true.
(markt) + Fix: 68692: The standard thread pool implementations that are
configured using the Executor element now implement ExecutorService for better
support NIO2. (remm) + Fix: 68495: When restoring a saved POST request after a
successful FORM authentication, ensure that neither the URI, the query string
nor the protocol are corrupted when restoring the request body. (markt) + Fix:
After forwarding a request, attempt to unwrap the response in order to suspend
it, instead of simply closing it if it was wrapped. Add a new
suspendWrappedResponseAfterForward boolean attribute on Context to control the
bahavior, defaulting to false. (remm) + Fix: 68721: Workaround a possible cause
of duplicate class definitions when using ClassFileTransformers and the
transformation of a class also triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output is identical to
the input. (remm) + Update: Add a new valveSkip (or VS) rule flag to the
rewrite valve to allow skipping over the next valve in the Catalina pipeline.
(remm) + Update: Add highConcurrencyStatus attribute to the SemaphoreValve to
optionally allow the valve to return an error status code to the client when a
permit cannot be acquired from the semaphore. (remm) + Add: Add checking of the
"age" of the running Tomcat instance since its build-date to the
SecurityListener, and log a warning if the server is old. (schultz) + Fix: When
using the AsyncContext, throw an IllegalStateException, rather than allowing an
NullPointerException, if an attempt is made to use the AsyncContext after it
has been recycled. (markt) + Fix: Correct JPMS and OSGi meta-data for
tomcat-embed-core.jar by removing reference to org.apache.catalina.ssi package
that is no longer included in the JAR. Based on pull request #684 by Jendrik
Johannes. (markt) + Fix: Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values when
configured to do so. Bug identified by Coverity Scan. (markt) + Add: Add
improvements to the CSRF prevention filter including the ability to skip adding
nonces for resource name and subtree URL patterns. (schultz) + Fix: Review
usage of debug logging and downgrade trace or data dumping operations from
debug level to trace. (remm) + Fix: 68089: Further improve the performance of
request attribute access for ApplicationHttpRequest and ApplicationRequest.
(markt) + Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt) * Coyote + Fix:
Improve the HTTP/2 stream prioritisation process. If a stream uses all of the
connection windows and still has content to write, it will now be added to the
backlog immediately rather than waiting until the write attempt for the
remaining content. (markt) + Fix: Add threadsMaxIdleTime attribute to the
endpoint, to allow configuring the amount of time before an internal executor
will scale back to the configured minSpareThreads size. (remm) + Fix: Correct a
regression in the support for user provided SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt) + Fix:
Setting a null value for a cookie attribute should remove the attribute.
(markt) + Fix: Make asynchronous error handling more robust. Ensure that once a
connection is marked to be closed, further asynchronous processing cannot
change that. (markt) + Fix: Make asynchronous error handling more robust.
Ensure that once the call to AsyncListener.onError() has returned to the
container, only container threads can access the AsyncContext. This protects
against various race conditions that woudl otherwise occur if application
threads continued to access the AsyncContext. + Fix: Review usage of debug
logging and downgrade trace or data dumping operations from debug level to
trace. In particular, most of the HTTP/2 debug logging has been changed to
trace level. (remm) + Fix: Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on pull request #673
provided by Hakan Altindag. (markt) + Fix: Partial fix for 68558: Cache the
result of converting to String for request URI, HTTP header names and the
request Content-Type value to improve performance by reducing repeated byte[]
to String conversions. (markt) + Fix: Improve error reporting to HTTP/2 clients
for header processing errors by reporting problems at the end of the frame
where the error was detected rather than at the end of the headers. (markt) +
Fix: Remove the remaining reference to a stream once the stream has been
recycled. This makes the stream eligible for garbage collection earlier and
thereby improves scalability. (markt) * Jasper + Add: Add support for
specifying Java 22 (with the value 22) as the compiler source and/or compiler
target for JSP compilation. If used with an Eclipse JDT compiler version that
does not support these values, a warning will be logged and the default will
used. (markt) + Fix: Handle the case where the JSP engine forwards a request/
response to a Servlet that uses an OutputStream rather than a Writer. This was
triggering an IllegalStateException on code paths where there was a subsequent
attempt to obtain a Writer. (markt) + Fix: Correctly handle the case where a
tag library is packaged in a JAR file and the web application is deployed as a
WAR file rather than an unpacked directory. (markt) + Fix: 68546: Generate
optimal size and types for JSP imports maps, as suggested by John Engebretson.
(remm) + Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm) * Cluster + Fix: Avoid updating
request count stats on async. (remm) * WebSocket + Fix: Correct a regression in
the fix for 66508 that could cause an UpgradeProcessor leak in some
circumstances. (markt) + Fix: Review usage of debug logging and downgrade trace
or data dumping operations from debug level to trace. (remm) + Fix: Ensure that
WebSocket connection closure completes if the connection is closed when the
server side has used the proprietary suspend/resume feature to suspend the
connection. (markt) * Web applications Add: Add support for responses in JSON
format from the examples application RequestHeaderExample. (schultz) * Other +
Add: Improvements to French translations. (remm) + Add: Improvements to
Japanese translations by tak7iji. (markt) + Fix: 57130: Allow digest.(sh|bat)
to accept password from a file or stdin. (csutherl/schultz) + Update: Update
Checkstyle to 10.14.1. (markt) + Fix: Correct the remaining OSGi contract
references in the manifest files to refer to the Jakarta EE contract names
rather than the Java EE contract names. Based on pull request #685 provided by
Paul A. Nicolucci. (markt) + Update: Update Checkstyle to 10.13.0. (markt) +
Update: Update JSign to 6.0. (markt) + Update: Update the packaged version of
the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt) + Update: Update
Tomcat Native to 2.0.7. (markt) + Update: Add strings for debug level messages.
(remm) + Add: Improvements to French translations. (remm) + Add: Improvements
to Japanese translations by tak7iji. (markt)
Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
o openSUSE Leap 15.5
zypper in -t patch openSUSE-SLE-15.5-2024-1204=1
o Web and Scripting Module 15-SP5
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-1204=1
Package List:
o openSUSE Leap 15.5 (noarch)
tomcat10-admin-webapps-10.1.20-150200.5.22.2
tomcat10-lib-10.1.20-150200.5.22.2
tomcat10-webapps-10.1.20-150200.5.22.2
tomcat10-el-5_0-api-10.1.20-150200.5.22.2
tomcat10-10.1.20-150200.5.22.2
tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2
tomcat10-embed-10.1.20-150200.5.22.2
tomcat10-jsvc-10.1.20-150200.5.22.2
tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2
tomcat10-docs-webapp-10.1.20-150200.5.22.2
o Web and Scripting Module 15-SP5 (noarch)
tomcat10-admin-webapps-10.1.20-150200.5.22.2
tomcat10-lib-10.1.20-150200.5.22.2
tomcat10-webapps-10.1.20-150200.5.22.2
tomcat10-el-5_0-api-10.1.20-150200.5.22.2
tomcat10-10.1.20-150200.5.22.2
tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2
tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2
References:
o https://www.suse.com/security/cve/CVE-2024-23672.html
o https://www.suse.com/security/cve/CVE-2024-24549.html
o https://bugzilla.suse.com/show_bug.cgi?id=1221385
o https://bugzilla.suse.com/show_bug.cgi?id=1221386
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================