Linux Security
    Linux Security
    Linux Security

    Debian LTS: DLA-2209-1: tomcat8 security update

    Date 28 May 2020
    Posted By LinuxSecurity Advisories
    Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
    Package        : tomcat8
    Version        : 8.0.14-1+deb8u17
    CVE ID         : CVE-2019-17563 CVE-2020-1935 CVE-2020-1938
    Debian Bug     : 961209 952436 952437 952438
    Several security vulnerabilities have been discovered in the Tomcat
    servlet and JSP engine.
    WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a
    working AJP configuration. The option secretRequired defaults to true
    now. You should define a secret in your server.xml or you can revert
    back by setting secretRequired to false.
        When using FORM authentication with Apache Tomcat there was a narrow
        window where an attacker could perform a session fixation attack.
        The window was considered too narrow for an exploit to be practical
        but, erring on the side of caution, this issue has been treated as a
        security vulnerability.
        In Apache Tomcat the HTTP header parsing code used an approach to
        end-of-line parsing that allowed some invalid HTTP headers to be
        parsed as valid. This led to a possibility of HTTP Request Smuggling
        if Tomcat was located behind a reverse proxy that incorrectly
        handled the invalid Transfer-Encoding header in a particular manner.
        Such a reverse proxy is considered unlikely.
        When using the Apache JServ Protocol (AJP), care must be taken when
        trusting incoming connections to Apache Tomcat. Tomcat treats AJP
        connections as having higher trust than, for example, a similar HTTP
        connection. If such connections are available to an attacker, they
        can be exploited in ways that may be surprising. Previously Tomcat
        shipped with an AJP Connector enabled by default that listened on
        all configured IP addresses. It was expected (and recommended in the
        security guide) that this Connector would be disabled if not
        Note that Debian already disabled the AJP connector by default.
        Mitigation is only required if the AJP port was made accessible to
        untrusted users.
        When using Apache Tomcat and an attacker is able to control the
        contents and name of a file on the server; and b) the server is
        configured to use the PersistenceManager with a FileStore; and c)
        the PersistenceManager is configured with
        sessionAttributeValueClassNameFilter="null" (the default unless a
        SecurityManager is used) or a sufficiently lax filter to allow the
        attacker provided object to be deserialized; and d) the attacker
        knows the relative file path from the storage location used by
        FileStore to the file the attacker has control over; then, using a
        specifically crafted request, the attacker will be able to trigger
        remote code execution via deserialization of the file under their
        control. Note that all of conditions a) to d) must be true for the
        attack to succeed.
    For Debian 8 "Jessie", these problems have been fixed in version
    We recommend that you upgrade your tomcat8 packages.
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:

    LinuxSecurity Poll

    'Tis the season of giving! How have you given back to the open-source community?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"171","title":"I've contributed to the development of an open-source project.","votes":"12","type":"x","order":"1","pct":36.36,"resources":[]},{"id":"172","title":"I've reviewed open-source code for security bugs.","votes":"6","type":"x","order":"2","pct":18.18,"resources":[]},{"id":"173","title":"I've made a donation to an open-source project.","votes":"15","type":"x","order":"3","pct":45.45,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.