Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

SUSE: 2020:0632-1 Important: Tomcat DoS and Privilege Escalation Fixes

suse
Calendar Grey March 10, 2020
Dist Suse Esm H88
Updating to Tomcat 9.0.31 addresses severe vulnerabilities such as denial of service, elevation of privileges, and HTTP request smuggling.
An update that fixes 6 vulnerabilities is now available

Summary

This update for tomcat to version 9.0.31 fixes the following issues: Security issues fixed: - CVE-2019-10072: Fixed a denial-of-service that could have been caused by clients omitting WINDOW_UPDATE messages in HTTP/2 streams (bsc#1139924). - CVE-2019-12418: Fixed a local privilege escalation by manipulating the RMI registry (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling (bsc#1164825). - CVE-2020-1935: Fixed an HTTP Request Smuggling issue (bsc#1164860). - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). Patch Instructions:

References

#1139924 #1159723 #1159729 #1164692 #1164825

#1164860

Cross- CVE-2019-10072 CVE-2019-12418 CVE-2019-17563

CVE-2019-17569 CVE-2020-1935 CVE-2020-1938

Affected Products:

SUSE Linux Enterprise Server 12-SP5

SUSE Linux Enterprise Server 12-SP4

https://www.suse.com/security/cve/CVE-2019-10072.html

https://www.suse.com/security/cve/CVE-2019-12418.html

https://www.suse.com/security/cve/CVE-2019-17563.html

https://www.suse.com/security/cve/CVE-2019-17569.html

https://www.suse.com/security/cve/CVE-2020-1935.html

https://www.suse.com/security/cve/CVE-2020-1938.html

https://bugzilla.suse.com/1139924

https://bugzilla.suse.com/1159723

https://bugzilla.suse.com/1159729

https://bugzilla.suse.com/1164692

https://bugzilla.suse.com/1164825

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2020:0632-1
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here