You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2023/06/21 10:20:51 UTC
[SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
CVE-2023-34981 Apache Tomcat - Information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88
Description:
The fix for bug 66512 introduced a regression that was fixed as bug
66591. The regression meant that, if a response did not have any HTTP
headers set, no AJP SEND_HEADERS message would be sent which in turn
meant that at least one AJP based proxy (mod_proxy_ajp) would use the
response headers from the previous request for the current request
leading to an information leak.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M6 or later
- Upgrade to Apache Tomcat 10.1.9 or later
- Upgrade to Apache Tomcat 9.0.75 or later
- Upgrade to Apache Tomcat 8.5.89 or later
Credit:
Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.
History:
2023-06-21 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
[5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
[6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by jo...@wellsfargo.com.INVALID.
Now that is what I call proactive!
Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His
Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexander@wellsfargo.com
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> -----Original Message-----
> From: James H. H. Lampert <ja...@touchtonecorp.com.INVALID>
> Sent: Thursday, June 22, 2023 10:25 AM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information
> disclosure
> Importance: High
>
> Funny thing: we recently needed to update a customer's Tomcat because
> they were complaining about a security issue that had prompted 8.5.88.
>
> And by the time we got the update request, 8.5.89 was already out, but we
> hadn't yet heard of CVE-2023-34981.
>
> So we'd already skipped over 8.5.88 before we were even aware that it had a
> problem.
>
> --
> JHHL
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by "James H. H. Lampert" <ja...@touchtonecorp.com.INVALID>.
Funny thing: we recently needed to update a customer's Tomcat because
they were complaining about a security issue that had prompted 8.5.88.
And by the time we got the update request, 8.5.89 was already out, but
we hadn't yet heard of CVE-2023-34981.
So we'd already skipped over 8.5.88 before we were even aware that it
had a problem.
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by Mark Thomas <ma...@apache.org>.
On 22/06/2023 00:17, Stefan Mayr wrote:
> Hi,
>
> Am 21.06.2023 um 12:20 schrieb Mark Thomas:
>> CVE-2023-34981 Apache Tomcat - Information disclosure
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 11.0.0-M5
>> Apache Tomcat 10.1.8
>> Apache Tomcat 9.0.74
>> Apache Tomcat 8.5.88
>>
>> Description:
>> The fix for bug 66512 introduced a regression that was fixed as bug
>> 66591. The regression meant that, if a response did not have any HTTP
>> headers set, no AJP SEND_HEADERS message would be sent which in turn
>> meant that at least one AJP based proxy (mod_proxy_ajp) would use the
>> response headers from the previous request for the current request
>> leading to an information leak.
> > ...
>
> Are setups with mod_jk also affected?
Almost certainly but it wasn't explicitly tested.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by Stefan Mayr <st...@mayr-stefan.de>.
Hi,
Am 21.06.2023 um 12:20 schrieb Mark Thomas:
> CVE-2023-34981 Apache Tomcat - Information disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 11.0.0-M5
> Apache Tomcat 10.1.8
> Apache Tomcat 9.0.74
> Apache Tomcat 8.5.88
>
> Description:
> The fix for bug 66512 introduced a regression that was fixed as bug
> 66591. The regression meant that, if a response did not have any HTTP
> headers set, no AJP SEND_HEADERS message would be sent which in turn
> meant that at least one AJP based proxy (mod_proxy_ajp) would use the
> response headers from the previous request for the current request
> leading to an information leak.
> ...
Are setups with mod_jk also affected?
Thanks,
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by Mark Thomas <ma...@apache.org>.
On 29/06/2023 14:24, George Angeletos wrote:
> Hello,
>
> I presume this only affects setups using AJP connectors - right?
Correct.
Mark
>
>
> Thanks
> George
>
>
> On Wed, 21 Jun 2023 at 13:21, Mark Thomas <ma...@apache.org> wrote:
>
>> CVE-2023-34981 Apache Tomcat - Information disclosure
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 11.0.0-M5
>> Apache Tomcat 10.1.8
>> Apache Tomcat 9.0.74
>> Apache Tomcat 8.5.88
>>
>> Description:
>> The fix for bug 66512 introduced a regression that was fixed as bug
>> 66591. The regression meant that, if a response did not have any HTTP
>> headers set, no AJP SEND_HEADERS message would be sent which in turn
>> meant that at least one AJP based proxy (mod_proxy_ajp) would use the
>> response headers from the previous request for the current request
>> leading to an information leak.
>>
>> Mitigation:
>> Users of the affected versions should apply one of the following
>> mitigations:
>> - Upgrade to Apache Tomcat 11.0.0-M6 or later
>> - Upgrade to Apache Tomcat 10.1.9 or later
>> - Upgrade to Apache Tomcat 9.0.75 or later
>> - Upgrade to Apache Tomcat 8.5.89 or later
>>
>> Credit:
>> Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.
>>
>> History:
>> 2023-06-21 Original advisory
>>
>> References:
>> [1] https://tomcat.apache.org/security-11.html
>> [2] https://tomcat.apache.org/security-10.html
>> [3] https://tomcat.apache.org/security-9.html
>> [4] https://tomcat.apache.org/security-8.html
>> [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
>> [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Posted by George Angeletos <g....@gmail.com>.
Hello,
I presume this only affects setups using AJP connectors - right?
Thanks
George
On Wed, 21 Jun 2023 at 13:21, Mark Thomas <ma...@apache.org> wrote:
> CVE-2023-34981 Apache Tomcat - Information disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 11.0.0-M5
> Apache Tomcat 10.1.8
> Apache Tomcat 9.0.74
> Apache Tomcat 8.5.88
>
> Description:
> The fix for bug 66512 introduced a regression that was fixed as bug
> 66591. The regression meant that, if a response did not have any HTTP
> headers set, no AJP SEND_HEADERS message would be sent which in turn
> meant that at least one AJP based proxy (mod_proxy_ajp) would use the
> response headers from the previous request for the current request
> leading to an information leak.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 11.0.0-M6 or later
> - Upgrade to Apache Tomcat 10.1.9 or later
> - Upgrade to Apache Tomcat 9.0.75 or later
> - Upgrade to Apache Tomcat 8.5.89 or later
>
> Credit:
> Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.
>
> History:
> 2023-06-21 Original advisory
>
> References:
> [1] https://tomcat.apache.org/security-11.html
> [2] https://tomcat.apache.org/security-10.html
> [3] https://tomcat.apache.org/security-9.html
> [4] https://tomcat.apache.org/security-8.html
> [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
> [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>