Question about Tomcat 8.5.77 and CVE-2022-0778

[Matthew Mellon <mm...@ecrs.com.INVALID>]

Tomcat 8.5.77 was published on March 17. The Windows distribution contains tcnative-1.dll, version 1.2.31.

Tcnative-1.dll appears to be statically linked to OpenSSL, and was built in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL.

The tcnative source tree was updated to "recommend" a new version of OpenSSL six days ago, but the DLL in the 8.5.77 release doesn't appear to have been built with this change.

I believe this means that if an APR connector is enabled, that the Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS attack vector. I emailed security@tomcat.apache.org<ma...@tomcat.apache.org> about this, believing that that was the responsible way to bring this to light, but received a pretty nasty email in response that told me that this mailing list was the correct forum.

Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) built that contains the remediation for CVE-2022-0778? Is there anything I can do to help?

Matthew Mellon CISSP
Chief Information Security Officer
828.265.2907 ext 5058  |   www.ecrs.com<https://www.ecrs.com/>

[cid:image001.png@01D83D1E.16997AA0]

Re: Question about Tomcat 8.5.77 and CVE-2022-0778

[Mark Thomas <ma...@apache.org>]

On 21/03/2022 16:26, Matthew Mellon wrote:
> Tomcat 8.5.77 was published on March 17. The Windows distribution 
> contains tcnative-1.dll, version 1.2.31.
> 
> Tcnative-1.dll appears to be statically linked to OpenSSL, and was built 
> in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL.
> 
> The tcnative source tree was updated to “recommend” a new version of 
> OpenSSL six days ago, but the DLL in the 8.5.77 release doesn’t appear 
> to have been built with this change.
> 
> I believe this means that if an APR connector is enabled, that the 
> Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS 
> attack vector. I emailed security@tomcat.apache.org 
> <ma...@tomcat.apache.org> about this, believing that that was 
> the responsible way to bring this to light, but received a pretty nasty 
> email in response that told me that this mailing list was the correct forum.

CVE-2022-0778 is public. You posted a question to the Apache Tomcat 
security team that did not concern an undisclosed security vulnerability 
in Apache Tomcat. This happens sufficiently often that we have a canned 
response for when this happens. For the record this is the content of 
that canned response:

<quote>
To whom it may concern,

You recently contacted the Apache Tomcat security team. As explained
in [1], the e-mail address you used should only be used for
reporting undisclosed security vulnerabilities in Apache Tomcat and
managing the process of fixing such vulnerabilities. Your e-mail does
not meet that criteria.

You may wish read some information on how the ASF works [2] before
proceeding with your enquiry via the appropriate channel which will
almost certainly be the Apache Tomcat users mailing list. [3]

The Apache Tomcat security team

[1] http://tomcat.apache.org/security.html
[2] http://apache.org/foundation/how-it-works.html
[3] https://tomcat.apache.org/lists.html#tomcat-users
</quote>

> Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78) 
> built that contains the remediation for CVE-2022-0778?

There is a Tomcat Native 1.2.32 release in progress at the moment that 
includes convenience Windows binaries built with OpenSSL 1.1.1n.

That release vote looks like it is going to pass so that release should 
be available on the download pages sometime tomorrow.

Tomcat releases are usually monthly with the process starting at the 
beginning of the month. I'd therefore expect to see an 8.5.78 release 
roughly around the second week of April that included the Tomcat Native 
1.2.32 release.

> Is there anything I can do to help?

Test the Tomcat Native 1.2.32 release. Details on the dev@ list.

The changes since 1.2.31 are minor and don't include any code changes so 
the likelihood of a regression is low. However, the more people that 
test a release and VOTE on it the better.

Test the 8.5.78 release when it happens. Watch the dev@ list for details.

Some other options:

Disable the APR/Native library so Tomcat uses NIO+JSSE instead.

Update to Tomcat Native 1.2.32 once released (single DLL for Windows 
that is a drop-in replacement).

Build 1.2.31 from source using OpenSSL 1.1.1n. The build process we use 
is documented at [1]. The hoop jumping is mainly to ensure that the 
resulting binaries will run on all currently supported Windows versions 
without requiring that additional run times etc are installed. Given 
that 1.2.32 is so close to release, it may not be worth the time 
required to follow this option.

Mark


[1] 
https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows

> 
> *Matthew Mellon **CISSP**
> */Chief Information Security Officer/
> 
> 828.265.2907 ext 5058  | www.ecrs.com <https://www.ecrs.com/>
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org