Описание
Security update for tomcat
This update for tomcat fixes the following issues:
- CVE-2023-28708: Fixed information disclosure by not including the secure attribute (bsc#1209622).
- CVE-2023-24998: Fixed FileUpload deny-of-service with excessive parts (bsc#1208513).
Список пакетов
Container containers/apache-tomcat:9-openjdk11
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk17
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk21
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk8
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Container suse/manager/5.0/x86_64/server:latest
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Container suse/multi-linux-manager/5.1/x86_64/server:latest
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-BYOS
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image server-image
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
Image tomcat_15_6
tomcat-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
SUSE Enterprise Storage 7
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Enterprise Storage 7.1
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP4
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise Server 15 SP2-LTSS
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise Server 15 SP3-LTSS
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
SUSE Manager Server 4.2
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
openSUSE Leap 15.4
tomcat-9.0.43-150200.35.1
tomcat-admin-webapps-9.0.43-150200.35.1
tomcat-docs-webapp-9.0.43-150200.35.1
tomcat-el-3_0-api-9.0.43-150200.35.1
tomcat-embed-9.0.43-150200.35.1
tomcat-javadoc-9.0.43-150200.35.1
tomcat-jsp-2_3-api-9.0.43-150200.35.1
tomcat-jsvc-9.0.43-150200.35.1
tomcat-lib-9.0.43-150200.35.1
tomcat-servlet-4_0-api-9.0.43-150200.35.1
tomcat-webapps-9.0.43-150200.35.1
Ссылки
- Link for SUSE-SU-2023:1769-1
- E-Mail link for SUSE-SU-2023:1769-1
- SUSE Security Ratings
- SUSE Bug 1208513
- SUSE Bug 1209622
- SUSE CVE CVE-2023-24998 page
- SUSE CVE CVE-2023-28708 page
Описание
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Затронутые продукты
Container containers/apache-tomcat:9-openjdk11:tomcat-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-el-3_0-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-jsp-2_3-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-lib-9.0.43-150200.35.1
Ссылки
- CVE-2023-24998
- SUSE Bug 1208513
- SUSE Bug 1210310
- SUSE Bug 1211608
- SUSE Bug 1228313
Описание
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.
Затронутые продукты
Container containers/apache-tomcat:9-openjdk11:tomcat-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-el-3_0-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-jsp-2_3-api-9.0.43-150200.35.1
Container containers/apache-tomcat:9-openjdk11:tomcat-lib-9.0.43-150200.35.1
Ссылки
- CVE-2023-28708
- SUSE Bug 1209622