Описание
Security update for tomcat
This update for tomcat fixes the following issues:
CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
Список пакетов
Container containers/apache-tomcat:9-openjdk11
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk17
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk21
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk8
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Container suse/manager/5.0/x86_64/server:latest
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-BYOS
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image server-image
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
Image tomcat_15_6
tomcat-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP2
tomcat-9.0.36-3.24.1
tomcat-admin-webapps-9.0.36-3.24.1
tomcat-el-3_0-api-9.0.36-3.24.1
tomcat-jsp-2_3-api-9.0.36-3.24.1
tomcat-lib-9.0.36-3.24.1
tomcat-servlet-4_0-api-9.0.36-3.24.1
tomcat-webapps-9.0.36-3.24.1
Ссылки
- Link for SUSE-SU-2021:1008-1
- E-Mail link for SUSE-SU-2021:1008-1
- SUSE Security Ratings
- SUSE Bug 1182909
- SUSE Bug 1182912
- SUSE CVE CVE-2021-25122 page
- SUSE CVE CVE-2021-25329 page
Описание
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
Затронутые продукты
Container containers/apache-tomcat:9-openjdk11:tomcat-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-el-3_0-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-jsp-2_3-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-lib-9.0.36-3.24.1
Ссылки
- CVE-2021-25122
- SUSE Bug 1182912
- SUSE Bug 1188549
Описание
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Затронутые продукты
Container containers/apache-tomcat:9-openjdk11:tomcat-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-el-3_0-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-jsp-2_3-api-9.0.36-3.24.1
Container containers/apache-tomcat:9-openjdk11:tomcat-lib-9.0.36-3.24.1
Ссылки
- CVE-2021-25329
- SUSE Bug 1182909
- SUSE Bug 1200696