You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/07/12 16:56:00 UTC
[jira] [Closed] (OFBIZ-12280) Upgrade Tomcat from 9.0.43 to 9.0.48
(due to CVEs-2021-30037/30639/30640)
[ https://issues.apache.org/jira/browse/OFBIZ-12280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12280.
-----------------------------------
Resolution: Fixed
> Upgrade Tomcat from 9.0.43 to 9.0.48 (due to CVEs-2021-30037/30639/30640)
> -------------------------------------------------------------------------
>
> Key: OFBIZ-12280
> URL: https://issues.apache.org/jira/browse/OFBIZ-12280
> Project: OFBiz
> Issue Type: Bug
> Components: framework, Gradle
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, Release Branch 17.12
>
>
> h1. CVE-2021-33037 HTTP request smuggling
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.6
> Apache Tomcat 9.0.0.M1 to 9.0.46
> Apache Tomcat 8.5.0 to 8.5.66
> Description:
> Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.</p>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.7 or later
> - Upgrade to Apache Tomcat 9.0.48 or later
> - Upgrade to Apache Tomcat 8.5.68 or later
> Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those versions did not pass.
> h1. CVE-2021-30639 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.3 to 10.0.4
> Apache Tomcat 9.0.44
> Apache Tomcat 8.5.64
> Description:
> An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS.
> Applications that do not use non-blocking I/O are not exposed to this vulnerability.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.5 or later
> - Upgrade to Apache Tomcat 9.0.45 or later
> - Upgrade to Apache Tomcat 8.5.65 or later
> h1. CVE-2021-30640 JNDI Realm Authentication Weakness
> Severity: Low
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.5
> Apache Tomcat 9.0.0.M1 to 9.0.45
> Apache Tomcat 8.5.0 to 8.5.65
> Apache Tomcat 7.0.0 to 7.0.108
> Description:
> Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (eg user names) as well as configuration data provided by an administrator.
> In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.6 or later
> - Upgrade to Apache Tomcat 9.0.46 or later
> - Upgrade to Apache Tomcat 8.5.66 or later
> - Upgrade to Apache Tomcat 7.0.109 or later
> History:
> 2021-07-12 Original advisory
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
> [4] https://tomcat.apache.org/security-7.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)