Debian LTS: DLA-2209-1: tomcat8 security update

    Date 28 May 2020
    218
    Posted By LinuxSecurity Advisories
    Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
    
    Package        : tomcat8
    Version        : 8.0.14-1+deb8u17
    CVE ID         : CVE-2019-17563 CVE-2020-1935 CVE-2020-1938
                     CVE-2020-9484
    Debian Bug     : 961209 952436 952437 952438
    
    
    Several security vulnerabilities have been discovered in the Tomcat
    servlet and JSP engine.
    
    WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a
    working AJP configuration. The option secretRequired defaults to true
    now. You should define a secret in your server.xml or you can revert
    back by setting secretRequired to false.
    
    
    CVE-2019-17563
    
        When using FORM authentication with Apache Tomcat there was a narrow
        window where an attacker could perform a session fixation attack.
        The window was considered too narrow for an exploit to be practical
        but, erring on the side of caution, this issue has been treated as a
        security vulnerability.
    
    CVE-2020-1935
    
        In Apache Tomcat the HTTP header parsing code used an approach to
        end-of-line parsing that allowed some invalid HTTP headers to be
        parsed as valid. This led to a possibility of HTTP Request Smuggling
        if Tomcat was located behind a reverse proxy that incorrectly
        handled the invalid Transfer-Encoding header in a particular manner.
        Such a reverse proxy is considered unlikely.
    
    CVE-2020-1938
    
        When using the Apache JServ Protocol (AJP), care must be taken when
        trusting incoming connections to Apache Tomcat. Tomcat treats AJP
        connections as having higher trust than, for example, a similar HTTP
        connection. If such connections are available to an attacker, they
        can be exploited in ways that may be surprising. Previously Tomcat
        shipped with an AJP Connector enabled by default that listened on
        all configured IP addresses. It was expected (and recommended in the
        security guide) that this Connector would be disabled if not
        required.
        .
        Note that Debian already disabled the AJP connector by default.
        Mitigation is only required if the AJP port was made accessible to
        untrusted users.
    
    CVE-2020-9484
    
        When using Apache Tomcat and an attacker is able to control the
        contents and name of a file on the server; and b) the server is
        configured to use the PersistenceManager with a FileStore; and c)
        the PersistenceManager is configured with
        sessionAttributeValueClassNameFilter="null" (the default unless a
        SecurityManager is used) or a sufficiently lax filter to allow the
        attacker provided object to be deserialized; and d) the attacker
        knows the relative file path from the storage location used by
        FileStore to the file the attacker has control over; then, using a
        specifically crafted request, the attacker will be able to trigger
        remote code execution via deserialization of the file under their
        control. Note that all of conditions a) to d) must be true for the
        attack to succeed.
    
    
    For Debian 8 "Jessie", these problems have been fixed in version
    8.0.14-1+deb8u17.
    
    We recommend that you upgrade your tomcat8 packages.
    
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://wiki.debian.org/LTS
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"7","type":"x","order":"1","pct":18.42,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"4","type":"x","order":"2","pct":10.53,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"27","type":"x","order":"3","pct":71.05,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.