-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2362
                          tomcat8 security update
                               13 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat8
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Denial of Service               -- Remote/Unauthenticated
                   Execute Arbitrary Code/Commands -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-11996 CVE-2020-9484 

Reference:         ESB-2020.2203
                   ESB-2020.1887
                   ESB-2020.1793

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2279

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-2279-1               debian-lts@lists.debian.org
https://www.debian.org/lts/security/                     Markus Koschany
July 12, 2020                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : tomcat8
Version        : 8.5.54-0+deb9u2
CVE ID         : CVE-2020-9484 CVE-2020-11996
Debian Bug     : 961209

Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.


CVE-2020-9484

    When using Apache Tomcat and an attacker is able to control the
    contents and name of a file on the server; and b) the server is
    configured to use the PersistenceManager with a FileStore; and c)
    the PersistenceManager is configured with
    sessionAttributeValueClassNameFilter="null" (the default unless a
    SecurityManager is used) or a sufficiently lax filter to allow the
    attacker provided object to be deserialized; and d) the attacker
    knows the relative file path from the storage location used by
    FileStore to the file the attacker has control over; then, using a
    specifically crafted request, the attacker will be able to trigger
    remote code execution via deserialization of the file under their
    control. Note that all of conditions a) to d) must be true for the
    attack to succeed.


CVE-2020-11996

    A specially crafted sequence of HTTP/2 requests sent to Apache
    Tomcat could trigger high CPU usage for several seconds. If a
    sufficient number of such requests were made on concurrent HTTP/2
    connections, the server could become unresponsive.

For Debian 9 stretch, these problems have been fixed in version
8.5.54-0+deb9u2.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat8

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl8LfIdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTRBQ//e+3ZkHFGmuT1R5mVG6swVHcYyMhH5npA9WA5vD5++aMnAKiYONp5Dksb
M81izJS33+2cfCJ406dYH1jOayqNuoJX9ex3HCcKANfMcQomXwDH8SoK+Y4DerU1
e4z4p+lhzIyf8cJAULCxk5g29gA+J5zNP6Nu6qlp+NA8EAWJVl8heYHuZ0UslM+w
+0n8A33/hp4TcU4uG2VzRo8LCUar6GlXVhf1jivehPPYl2DgfiewK2fBjpmSJTvK
I/wWpdvdS0AHnkptYIE68AfoCoakVKev7FLXAemkHDX0Pt72MU/ii5maGOoS4Hy/
oIMdZrBEq9nbtFnnfgKyUPJNbh7GMWv0Qk2TAzpzYcVRmVzNoUwyVrVWQKDwXwfh
zWKXepCBKzBa105umPFk97e4nAEe+6Qn7NbiOI3yblTxTp+S3BXBMyiw+OCTlceC
Y81LemAfGvxOuoHdf8sNAgyd/sR9g8PqBzjtMqOZifdZYSd8kJ+qu8uHe14B8T9A
gUYNc3vRDF0LcQrdvhP2xf7wE+IeyV95MLc3CrwQKxOJghfHNpKQU7NLcjQk7yvs
mZgp90DM+KHJcetne7+/sYNKrOrC5mW8leM+3touwASMmTrkF5g8aH6IUtWtcfjo
AQ6W7a/OVaxGTVIaS0igqGQiTf6JZMRXNqajjaYkvl+91NB+w54=
=4z+L
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXwvROONLKJtyKPYoAQguhQ//XkSKdock4sUUX4nvnCnNgdt5Uljg2exI
Ww+Vzcayq7+W2GjN+P/HBT3+sHeH2WEl4+aulBVZFNVAO6OVSv3W6eBLg4Plip3I
uGUqieo3arXDlfJ2OJOkAkzIL/Ijfur4nl4/y5EqSdu77cS/7YlvQ4h+4ULMK0/2
y9qifVDv910b2JqjCQ1y0FOJFFwYTR4SJxr2eFomVedIbqhwgup1lo7NR9zUsRZm
maVWK3Cfuo3hPGqsPsF/0tygAjfkOjsybER41Y8uVC/QtxeBrZ+BsvQB1vU1SkTV
n50TJbBOkdOZhysL9IcYrBZkfFYo/Y6ta7dnCY0m1fg8XfXX7C5jH9zFLcvF9AAE
tMeFMiZIi8x3UXF8nzA+9j4d6oie14izl6v290toLunG1413Q1zNPlWA6F1PVg1w
Cq51bPsnWcxZnnokX/NXcOyXa15ihE/FQxmL1vLUgWZ6HHzjHMFolzQWB996KGwg
0MV02tWxLQMiRNT/xSv4LtLxp0NMM1GOVE1ZsfmYQZO062VExZTazZCLMeM5s/Us
TN0gv7IR7G/TSt23b4+MRv6gvz4A3W9qTRg1HOmJLgh+4m5/WMBtsKwBNAkLyLuC
RQ1rF6wkyRvP2Tcpda1MjC+I3bjlDvZ5d477avxFM1owl4BrHHjjKtBDEuonkfy9
LdBsqj3hr9k=
=LvJj
-----END PGP SIGNATURE-----