Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:4257-1

Опубликовано: 28 нояб. 2022
Источник: suse-cvrf

Описание

Security update for tomcat

This update for tomcat fixes the following issues:

  • CVE-2021-43980: Fixed information disclosure due to concurrency issues in Http11Processor (bsc#1203868).
  • CVE-2022-42252: Fixed a request smuggling (bsc#1204918).

Список пакетов

SUSE Enterprise Storage 6
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1
SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1
SUSE Linux Enterprise High Performance Computing 15 SP1-LTSS
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1
SUSE Linux Enterprise Server 15 SP1-BCL
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1
SUSE Linux Enterprise Server 15 SP1-LTSS
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1
tomcat-9.0.36-150100.4.81.1
tomcat-admin-webapps-9.0.36-150100.4.81.1
tomcat-el-3_0-api-9.0.36-150100.4.81.1
tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
tomcat-lib-9.0.36-150100.4.81.1
tomcat-servlet-4_0-api-9.0.36-150100.4.81.1
tomcat-webapps-9.0.36-150100.4.81.1

Ссылки

Описание

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Затронутые продукты
SUSE Enterprise Storage 6:tomcat-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-admin-webapps-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-el-3_0-api-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
Ссылки

Описание

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Затронутые продукты
SUSE Enterprise Storage 6:tomcat-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-admin-webapps-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-el-3_0-api-9.0.36-150100.4.81.1
SUSE Enterprise Storage 6:tomcat-jsp-2_3-api-9.0.36-150100.4.81.1
Ссылки