Operating System:

[WIN][UNIX/Linux]

Published:

02 March 2021

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2021.0742 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0742
                  Apache Tomcat: Multiple vulnerabilities
                               2 March 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Tomcat
Publisher:         The Apache Software Foundation
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-25329 CVE-2021-25122 CVE-2020-9484

Reference:         ESB-2020.2670
                   ESB-2020.2447
                   ESB-2020.2083
                   ESB-2020.1793

Original Bulletin: 
   https://www.mail-archive.com/users@tomcat.apache.org/msg137185.html
   https://www.mail-archive.com/users@tomcat.apache.org/msg137186.html

Comment: This bulletin contains two (2) The Apache Software Foundation 
         security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2021-25122 h2c request mix-up

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61

Description:
When responding to new h2c connection requests, Apache Tomcat could
duplicate request headers and a limited amount of request body from one
request to another meaning user A and user B could both see the results
of user A's request.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 10.0.2 or later
- - Upgrade to Apache Tomcat 9.0.43 or later
- - Upgrade to Apache Tomcat 8.5.63 or later

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release
votes for those versions did not pass.

Credit:
This issue was identified by the Apache Tomcat Security Team.

History:
2021-03-01 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html


- --------------------------------------------------------------------------------


CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session 
persistence)


Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61
Apache Tomcat 7.0.0 to 7.0.107

Description:
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely 
configuration edge case, the Tomcat instance was still vulnerable to 
CVE-2020-9484. Note that both the previously published prerequisites for 
CVE-2020-9484 also apply to this issue.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 10.0.2 or later
- - Upgrade to Apache Tomcat 9.0.43 or later
- - Upgrade to Apache Tomcat 8.5.63 or later
- - Upgrade to Apache Tomcat 7.0.108 or later
- - the the previously published non-upgrade mitigations for CVE-2020-9484
      also apply to this issue

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release 
votes for those versions did not pass.

Credit:
This issue was identified by Trung Pham of Viettel Cyber Security.

History:
2021-03-01 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYD2bhuNLKJtyKPYoAQgJzxAAjadKJaOdhfFr14RE4CXrr1yifEKOq35Z
au7cs/IT5KZujfYDwrwPF42GerV9DLH+TtkBIi3yuemPn5d9XpN7tyP8kPlPSrhb
kL7Se/O8vB5n0HEdkSLaay9uWhQK8rzCjExxUBUsAu5xTS0dJ6YeQdnPM5Gziuiu
z0xOLk8d5f2e3OOgz3dYLkQPJ0lzlC3dEHx9YjnLphKxJs5XDgd9tDVJHncgOMZX
tXcqyLfkK9WYu3beoKHtoVR4Svv0s5zCVxR4L/35qzVi6IJtjAjWvSsm7ZWHFVN0
37aLn51iSM9PORqI0+oI0nZZ5dA9nADMu19wpmPW+74A2IZ3rxZkzprorUkUAakR
dPyN17K/mHWUBHL5aS6HPEv/0OO4U592u39c+pYC+rlNV1a7PYAiBnlSBDB15TlH
2lmswzaAGrbrXwZk0sneq5JmS8PgS3eW5tTBFeGkEDiNEAJ9P7623JMGAQGreYgC
3D1a69LvEL1fVe9Spv3Mta7R9Rzg+a6ReQSSahlgH1pDR73bRinw6UEK3yB3TaMM
1+2rwODvxvnjGvzWje+DMIrhZGd8KdQ5x1Jv95so2iAlimtFs9wH7jxaP8gHVgPJ
8meXuErbrWe2Xr3a7Sywfhd/MTtAhzyufD1td7EPVPVxlTvGOrfE6YW/glgKDgzD
+U+fK+ZAiQw=
=g/vD
-----END PGP SIGNATURE-----