-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.2979
   CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
                                23 May 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Tomcat
Publisher:         Apache
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-28709 CVE-2023-24998 

Original Bulletin: 
   https://seclists.org/oss-sec/2023/q2/187

Comment: CVSS (Max):  7.5 CVE-2023-28709 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: [SUSE], NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.0-M4
Apache Tomcat 10.1.5 to 10.1.7
Apache Tomcat 9.0.71 to 9.0.73
Apache Tomcat 8.5.85 to 8.5.87

Description:
The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector 
settings were used such that the maxParameterCount could be reached 
using query string parameters and a request was submitted that supplied 
exactly maxParameterCount parameters in the query string, the limit for 
uploaded request parts could be bypassed with the potential for a denial 
of service to occur.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 11.0.0-M5 or later
- - Upgrade to Apache Tomcat 10.1.8 or later
- - Upgrade to Apache Tomcat 9.0.74 or later
- - Upgrade to Apache Tomcat 8.5.88 or later

Credit:
This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang 
from the Huawei Nebula Security Lab

History:
2023-05-22 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZGwJl8kNZI30y1K9AQh/7RAAj8jfM/UxPzZxZnE+GnE1Hyk0oI+eLbXj
Ff0FrGoGseZkhIb7A8YJpjtBdKMnbxNdeMlOtxf5HwjbZ5xlvf8JnoslUOXRdJqu
JOMxGhsLtGKm+j88du1K7vLx73HNkwiwh8ALY5iQ8413cZUyD4iPwkhbpSUD9ZFL
HSfo+5qR+AQ1XqSLAlrB9hwN0Y/JTQHEFUh5khmB/qEe9BbLVpcJbh6q8S2e/OT0
/gfvVeNGBVYdtUErYSGdx86gXV/qg43ZR/6ibAdYhIwfrolpz7k6jPo/Z1fUJoNu
YGdE/FfoU+Nh3IqTJNuodb2xoolksQJ48jCJ/t8PQ9N4TJf43ngE216pLA2j6uYx
97HfIdtNw6ONZvOc9zInFV0X33P8Obv1bk8j5V3VCUEXLT/T7I+H1mw56h8TcZWd
1FsPhulv4zP0Ebv6WOMuQT3pqe8CM32aAfZo7QTe1lwEj+kNSWv5GC3NSDyy5ZdT
BlJvVD1CR//RoU7coh1ikgc5bBGXRrmGQH09gnHGD6ZpszaKf9Sx5DivZif/om5o
DI59s1bOfgQLXZs+3227A79P7KvlFMQ1naC7vvnlbBuEDrl4g39O3MkqHoY4ODWr
sF320OdiknbBSnRfH6jam7ZInJnaJ8eHlYM4etXbAzlOcJcdDLJcDxpho16SnbCH
A7J1+GdYs8E=
=D/tO
-----END PGP SIGNATURE-----