23 May 2023
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.2979 CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete 23 May 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tomcat Publisher: Apache Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2023-28709 CVE-2023-24998 Original Bulletin: https://seclists.org/oss-sec/2023/q2/187 Comment: CVSS (Max): 7.5 CVE-2023-28709 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSS Source: [SUSE], NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M2 to 11.0.0-M4 Apache Tomcat 10.1.5 to 10.1.7 Apache Tomcat 9.0.71 to 9.0.73 Apache Tomcat 8.5.85 to 8.5.87 Description: The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 11.0.0-M5 or later - - Upgrade to Apache Tomcat 10.1.8 or later - - Upgrade to Apache Tomcat 9.0.74 or later - - Upgrade to Apache Tomcat 8.5.88 or later Credit: This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang from the Huawei Nebula Security Lab History: 2023-05-22 Original advisory References:  https://tomcat.apache.org/security-11.html  https://tomcat.apache.org/security-10.html  https://tomcat.apache.org/security-9.html  https://tomcat.apache.org/security-8.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZGwJl8kNZI30y1K9AQh/7RAAj8jfM/UxPzZxZnE+GnE1Hyk0oI+eLbXj Ff0FrGoGseZkhIb7A8YJpjtBdKMnbxNdeMlOtxf5HwjbZ5xlvf8JnoslUOXRdJqu JOMxGhsLtGKm+j88du1K7vLx73HNkwiwh8ALY5iQ8413cZUyD4iPwkhbpSUD9ZFL HSfo+5qR+AQ1XqSLAlrB9hwN0Y/JTQHEFUh5khmB/qEe9BbLVpcJbh6q8S2e/OT0 /gfvVeNGBVYdtUErYSGdx86gXV/qg43ZR/6ibAdYhIwfrolpz7k6jPo/Z1fUJoNu YGdE/FfoU+Nh3IqTJNuodb2xoolksQJ48jCJ/t8PQ9N4TJf43ngE216pLA2j6uYx 97HfIdtNw6ONZvOc9zInFV0X33P8Obv1bk8j5V3VCUEXLT/T7I+H1mw56h8TcZWd 1FsPhulv4zP0Ebv6WOMuQT3pqe8CM32aAfZo7QTe1lwEj+kNSWv5GC3NSDyy5ZdT BlJvVD1CR//RoU7coh1ikgc5bBGXRrmGQH09gnHGD6ZpszaKf9Sx5DivZif/om5o DI59s1bOfgQLXZs+3227A79P7KvlFMQ1naC7vvnlbBuEDrl4g39O3MkqHoY4ODWr sF320OdiknbBSnRfH6jam7ZInJnaJ8eHlYM4etXbAzlOcJcdDLJcDxpho16SnbCH A7J1+GdYs8E= =D/tO -----END PGP SIGNATURE-----