Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:3669-1

Опубликовано: 16 нояб. 2021
Источник: suse-cvrf

Описание

Security update for tomcat

This update for tomcat fixes the following issues:

  • CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279).
  • CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278).
  • CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet (bsc#1190558).

Список пакетов

SUSE Enterprise Storage 6
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1
SUSE Linux Enterprise Server 15 SP1-BCL
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1
SUSE Linux Enterprise Server 15 SP1-LTSS
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
tomcat-9.0.36-4.63.1
tomcat-admin-webapps-9.0.36-4.63.1
tomcat-el-3_0-api-9.0.36-4.63.1
tomcat-jsp-2_3-api-9.0.36-4.63.1
tomcat-lib-9.0.36-4.63.1
tomcat-servlet-4_0-api-9.0.36-4.63.1
tomcat-webapps-9.0.36-4.63.1

Ссылки

Описание

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Затронутые продукты
SUSE Enterprise Storage 6:tomcat-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-admin-webapps-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-el-3_0-api-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-jsp-2_3-api-9.0.36-4.63.1
Ссылки

Описание

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Затронутые продукты
SUSE Enterprise Storage 6:tomcat-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-admin-webapps-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-el-3_0-api-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-jsp-2_3-api-9.0.36-4.63.1
Ссылки

Описание

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Затронутые продукты
SUSE Enterprise Storage 6:tomcat-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-admin-webapps-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-el-3_0-api-9.0.36-4.63.1
SUSE Enterprise Storage 6:tomcat-jsp-2_3-api-9.0.36-4.63.1
Ссылки
Уязвимость SUSE-SU-2021:3669-1