===================================================================== CERT-Renater Note d'Information No. 2023/VULN229 _____________________________________________________________________ DATE : 23/06/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.0-M6, 10.1.9, 9.0.75, 9.0.75. ===================================================================== https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz _____________________________________________________________________ CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 11.0.0-M6 or later - - Upgrade to Apache Tomcat 10.1.9 or later - - Upgrade to Apache Tomcat 9.0.75 or later - - Upgrade to Apache Tomcat 9.0.75 or later Credit: Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc. History: 2023-06-21 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================