Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2362 tomcat8 security update 13 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat8 Publisher: Debian Operating System: Debian GNU/Linux 9 Impact/Access: Denial of Service -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-11996 CVE-2020-9484 Reference: ESB-2020.2203 ESB-2020.1887 ESB-2020.1793 Original Bulletin: https://www.debian.org/lts/security/2020/dla-2279 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-2279-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 12, 2020 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : tomcat8 Version : 8.5.54-0+deb9u2 CVE ID : CVE-2020-9484 CVE-2020-11996 Debian Bug : 961209 Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2020-9484 When using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. CVE-2020-11996 A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u2. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8LfIdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTRBQ//e+3ZkHFGmuT1R5mVG6swVHcYyMhH5npA9WA5vD5++aMnAKiYONp5Dksb M81izJS33+2cfCJ406dYH1jOayqNuoJX9ex3HCcKANfMcQomXwDH8SoK+Y4DerU1 e4z4p+lhzIyf8cJAULCxk5g29gA+J5zNP6Nu6qlp+NA8EAWJVl8heYHuZ0UslM+w +0n8A33/hp4TcU4uG2VzRo8LCUar6GlXVhf1jivehPPYl2DgfiewK2fBjpmSJTvK I/wWpdvdS0AHnkptYIE68AfoCoakVKev7FLXAemkHDX0Pt72MU/ii5maGOoS4Hy/ oIMdZrBEq9nbtFnnfgKyUPJNbh7GMWv0Qk2TAzpzYcVRmVzNoUwyVrVWQKDwXwfh zWKXepCBKzBa105umPFk97e4nAEe+6Qn7NbiOI3yblTxTp+S3BXBMyiw+OCTlceC Y81LemAfGvxOuoHdf8sNAgyd/sR9g8PqBzjtMqOZifdZYSd8kJ+qu8uHe14B8T9A gUYNc3vRDF0LcQrdvhP2xf7wE+IeyV95MLc3CrwQKxOJghfHNpKQU7NLcjQk7yvs mZgp90DM+KHJcetne7+/sYNKrOrC5mW8leM+3touwASMmTrkF5g8aH6IUtWtcfjo AQ6W7a/OVaxGTVIaS0igqGQiTf6JZMRXNqajjaYkvl+91NB+w54= =4z+L - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXwvROONLKJtyKPYoAQguhQ//XkSKdock4sUUX4nvnCnNgdt5Uljg2exI Ww+Vzcayq7+W2GjN+P/HBT3+sHeH2WEl4+aulBVZFNVAO6OVSv3W6eBLg4Plip3I uGUqieo3arXDlfJ2OJOkAkzIL/Ijfur4nl4/y5EqSdu77cS/7YlvQ4h+4ULMK0/2 y9qifVDv910b2JqjCQ1y0FOJFFwYTR4SJxr2eFomVedIbqhwgup1lo7NR9zUsRZm maVWK3Cfuo3hPGqsPsF/0tygAjfkOjsybER41Y8uVC/QtxeBrZ+BsvQB1vU1SkTV n50TJbBOkdOZhysL9IcYrBZkfFYo/Y6ta7dnCY0m1fg8XfXX7C5jH9zFLcvF9AAE tMeFMiZIi8x3UXF8nzA+9j4d6oie14izl6v290toLunG1413Q1zNPlWA6F1PVg1w Cq51bPsnWcxZnnokX/NXcOyXa15ihE/FQxmL1vLUgWZ6HHzjHMFolzQWB996KGwg 0MV02tWxLQMiRNT/xSv4LtLxp0NMM1GOVE1ZsfmYQZO062VExZTazZCLMeM5s/Us TN0gv7IR7G/TSt23b4+MRv6gvz4A3W9qTRg1HOmJLgh+4m5/WMBtsKwBNAkLyLuC RQ1rF6wkyRvP2Tcpda1MjC+I3bjlDvZ5d477avxFM1owl4BrHHjjKtBDEuonkfy9 LdBsqj3hr9k= =LvJj -----END PGP SIGNATURE-----