==================================================================== CERT-Renater Note d'Information No. 2017/VULN106 _____________________________________________________________________ DATE : 11/04/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions 6, 7, 8, 9 prior to 9.0.0.M19, 8.5.13, 8.0.43, 7.0.77, 6.0.53. ===================================================================== http://mail-archives.apache.org/mod_mbox/tomcat-announce/201704.mbox/%3c63a584ba-4db7-85d3-0206-c1164b9d26c6@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/201704.mbox/%3c6d8077ef-1bcb-d07b-0bd0-f70ab0043faf@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/201704.mbox/%3c8a78e8fe-616e-1959-3c0e-26704fc72766@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/201704.mbox/%3c31f87752-c04f-65e7-fff8-d599484aa7e5@apache.org%3e ____________________________________________________________________ CVE-2017-5651 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was reported publicly as Bug 60918 [1] and the security implications identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60918 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html ____________________________________________________________________ CVE-2017-5650 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was identified by Chun Han Hsiao and reported responsibly to the Tomcat security team. History: 2017-04-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html ____________________________________________________________________ CVE-2017-5648 Apache Tomcat Information Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M17 Apache Tomcat 8.5.0 to 8.5.11 Apache Tomcat 8.0.0.RC1 to 8.0.41 Apache Tomcat 7.0.0 to 7.0.75 Apache Tomcat 6.0.x is not affected Description While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M18 or later - Upgrade to Apache Tomcat 8.5.12 or later - Upgrade to Apache Tomcat 8.0.42 or later - Upgrade to Apache Tomcat 7.0.76 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html ____________________________________________________________________ CVE-2017-5647 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.0.RC1 to 8.0.42 Apache Tomcat 7.0.0 to 7.0.76 Apache Tomcat 6.0.0 to 6.0.52 Description A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. Mitigation: Users of the affected versions should apply one of the following mitigations: - Switch to the BIO HTTP where available - Disable send file - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later - Upgrade to Apache Tomcat 8.0.43 or later - Upgrade to Apache Tomcat 7.0.77 or later - Upgrade to Apache Tomcat 6.0.53 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.htm ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================