You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2021/07/12 13:04:12 UTC

[SECURITY] CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

CVE-2021-30640 JNDI Realm Authentication Weakness

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108

Description:
Queries made by the JNDI Realm did not always correctly escape 
parameters. Parameter values could be sourced from user provided data 
(eg user names) as well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using 
variations of their user name and/or to bypass some of the protection 
provided by the LockOut Realm.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.6 or later
- Upgrade to Apache Tomcat 9.0.46 or later
- Upgrade to Apache Tomcat 8.5.66 or later
- Upgrade to Apache Tomcat 7.0.109 or later

History:
2021-07-12 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html