==================================================================== CERT-Renater Note d'Information No. 2021/VULN129 _____________________________________________________________________ DATE : 03/03/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 10.0.2, 9.0.43, 8.5.63, 7.0.108. ===================================================================== http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3cb7626398-5e6d-1639-4e9e-e41b34af84de@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3c811bba77-e74e-9f9b-62ca-5253a09ba84f@apache.org%3e _____________________________________________________________________ CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html _____________________________________________________________________ CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence) Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Apache Tomcat 7.0.0 to 7.0.107 Description: The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later - Upgrade to Apache Tomcat 7.0.108 or later - the the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by Trung Pham of Viettel Cyber Security. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================