Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0742 Apache Tomcat: Multiple vulnerabilities 2 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-25329 CVE-2021-25122 CVE-2020-9484 Reference: ESB-2020.2670 ESB-2020.2447 ESB-2020.2083 ESB-2020.1793 Original Bulletin: https://www.mail-archive.com/users@tomcat.apache.org/msg137185.html https://www.mail-archive.com/users@tomcat.apache.org/msg137186.html Comment: This bulletin contains two (2) The Apache Software Foundation security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 10.0.2 or later - - Upgrade to Apache Tomcat 9.0.43 or later - - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html - -------------------------------------------------------------------------------- CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence) Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Apache Tomcat 7.0.0 to 7.0.107 Description: The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 10.0.2 or later - - Upgrade to Apache Tomcat 9.0.43 or later - - Upgrade to Apache Tomcat 8.5.63 or later - - Upgrade to Apache Tomcat 7.0.108 or later - - the the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by Trung Pham of Viettel Cyber Security. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYD2bhuNLKJtyKPYoAQgJzxAAjadKJaOdhfFr14RE4CXrr1yifEKOq35Z au7cs/IT5KZujfYDwrwPF42GerV9DLH+TtkBIi3yuemPn5d9XpN7tyP8kPlPSrhb kL7Se/O8vB5n0HEdkSLaay9uWhQK8rzCjExxUBUsAu5xTS0dJ6YeQdnPM5Gziuiu z0xOLk8d5f2e3OOgz3dYLkQPJ0lzlC3dEHx9YjnLphKxJs5XDgd9tDVJHncgOMZX tXcqyLfkK9WYu3beoKHtoVR4Svv0s5zCVxR4L/35qzVi6IJtjAjWvSsm7ZWHFVN0 37aLn51iSM9PORqI0+oI0nZZ5dA9nADMu19wpmPW+74A2IZ3rxZkzprorUkUAakR dPyN17K/mHWUBHL5aS6HPEv/0OO4U592u39c+pYC+rlNV1a7PYAiBnlSBDB15TlH 2lmswzaAGrbrXwZk0sneq5JmS8PgS3eW5tTBFeGkEDiNEAJ9P7623JMGAQGreYgC 3D1a69LvEL1fVe9Spv3Mta7R9Rzg+a6ReQSSahlgH1pDR73bRinw6UEK3yB3TaMM 1+2rwODvxvnjGvzWje+DMIrhZGd8KdQ5x1Jv95so2iAlimtFs9wH7jxaP8gHVgPJ 8meXuErbrWe2Xr3a7Sywfhd/MTtAhzyufD1td7EPVPVxlTvGOrfE6YW/glgKDgzD +U+fK+ZAiQw= =g/vD -----END PGP SIGNATURE-----