Explore top 10 tips to secure your open-source projects now. Read More
×
It was discovered that Apache Tomcat from 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an . - ----------------------------------------------------------------------- Debian LTS Advisory DLA-2495-1
The package tomcat8 before version 8.5.60-1 is vulnerable to information disclosure. . Arch Linux Security Advisory ASA-202012-4 ======================================== Severity: Medium Date : 2020-12-05 CVE-ID : CVE-2020-17527 Package : tomcat8 Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1316 Summary ====== The package tomcat8 before version 8.5.60-1 is vulnerable to information disclosure. Resolution ========= Upgrade to 8.5.60-1. # pacman -Syu "tomcat8> =8.5.60-1" The problem has been fixed upstream in version 8.5.60. Workaround ========= None. Description ========== It was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. Impact ===== A remote attacker might be able to access sensitive information via well-timed HTTP/2 requests. References ========= https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60 https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40 https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65 https://security.archlinux.org/CVE-2020-17527 . The Fedora Security Notice FSA-202012-3 informs users of a moderate risk information leak associated with nginx prior to 1.18.0-1.. Arch Linux, Tomcat8 Advisory, Information Disclosure Risk. . Severity: Medium. LinuxSecurity.com Team
The package tomcat8 before version 8.5.56-1 is vulnerable to denial of service. . Arch Linux Security Advisory ASA-202006-16 ========================================= Severity: Medium Date : 2020-06-28 CVE-ID : CVE-2020-11996 Package : tomcat8 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1197 Summary ====== The package tomcat8 before version 8.5.56-1 is vulnerable to denial of service. Resolution ========= Upgrade to 8.5.56-1. # pacman -Syu "tomcat8> =8.5.56-1" The problem has been fixed upstream in version 8.5.56. Workaround ========= None. Description ========== A denial of service has been found in Apache Tomcat before 9.0.36 and 8.5.56, where a specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. Impact ===== A remote attacker might be able to cause a denial of service via a specially crafted sequence of HTTP/2 requests. References ========= https://www.openwall.com/lists/oss-security/2020/06/25/6 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36 https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56 https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 https://security.archlinux.org/CVE-2020-11996 . A security advisory for Tomcat8 on Arch Linux warns of a potential DoS vulnerability. Users should quickly apply updates using 'sudo pacman -Syu tomcat8' for protection.. Arch Linux, tomcat8, denial of service, security advisory, software update. . Severity: Medium. LinuxSecurity.com Team
The package tomcat8 before version 8.5.55-1 is vulnerable to arbitrary code execution. . Arch Linux Security Advisory ASA-202006-5 ======================================== Severity: High Date : 2020-06-06 CVE-ID : CVE-2020-9484 Package : tomcat8 Type : arbitrary code execution Remote : Yes Link : https://security.archlinux.org/AVG-1170 Summary ====== The package tomcat8 before version 8.5.55-1 is vulnerable to arbitrary code execution. Resolution ========= Upgrade to 8.5.55-1. # pacman -Syu "tomcat8> =8.5.55-1" The problem has been fixed upstream in version 8.5.55. Workaround ========= None. Description ========== When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. Impact ===== A remote attacker can execute code on the affected host if they control the file content and know the path. References ========= https://lists.apache.org/thread/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1@%3Cannounce.tomcat.apache.org%3E https://security.archlinux.org/CVE-2020-9484 . Arch Linux Security Advisory ASA-202006-5 ======================================== Severity: High Da. package, tomcat8, version, vulnerable, arbitrary, execution, linux. . LinuxSecurity.com Team
Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle . Package : tomcat8 Version : 8.0.14-1+deb8u16 CVE ID : CVE-2019-12418 Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. For Debian 8 "Jessie", this problem has been fixed in version 8.0.14-1+deb8u16. We recommend that you upgrade your tomcat8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . Tomcat9 security patch addresses a vulnerability in the AJP connector that could allow remote exploitation, enabling unauthorized access to the server.. Tomcat8 Security, Debian Updates, Remote Lifecycle Listener. . Severity: Critical. LinuxSecurity.com Team
Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. . Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders' parameter to filter environment variables. CVE-2018-8014 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. CVE-2019-0221 The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. For Debian 8 "Jessie", these problems have been fixed in version 8.0.14-1+deb8u15. We recommend that you upgrade your tomcat8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS . The PostgreSQL security patch DLA-2021-3 resolves critical vulnerabilities that impact database integrity.. Tomcat8, Debian Security, Java Servlet, Maintenance Update, Web Application. .Severity: Important. LinuxSecurity.com Team
Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. . - ------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1
Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method. This could under certain conditions result in undesirable results, . - ------------------------------------------------------------------------- Debian Security Advisory DSA-3891-1
Get the latest Linux and open source security news straight to your inbox.