=====================================================================

                             CERT-Renater

                   Note d'Information No. 2023/VULN389

_____________________________________________________________________

DATE                : 11/10/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior
                       to 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94.

=====================================================================
https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
https://lists.apache.org/thread/3m81kt8c2gtg4nkjfwt2hvt5l9ycx6vl
https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw
https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
https://lists.apache.org/thread/7yqptwgj7gj1lzr3017w716fkyoolsjo
_____________________________________________________________________

[SECURITY] CVE-2023-45648 Apache Tomcat - Request Smuggling
CVE-2023-45648 Apache Tomcat - Request Smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93

Description:
Tomcat did not correctly parse HTTP trailer headers. A specially 
crafted, invalid trailer header could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M12 or later
- Upgrade to Apache Tomcat 10.1.14 or later
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security
team by Keran Mu and Jianjun Chen from Tsinghua University and
Zhongguancun Laboratory.

History:
2023-10-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

_____________________________________________________________________

[SECURITY] CVE-2023-44487 Apache Tomcat - HTTP/2 DoS
CVE-2023-44487 Apache Tomcat - HTTP/2 DoS

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93

Description:
Tomcat's HTTP/2 implementation was vulnerable to the rapid reset
attack. The denial of service typically manifested as an OutOfMemoryError.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M12 or later
- Upgrade to Apache Tomcat 10.1.14 or later
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later

History:
2023-10-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html


_____________________________________________________________________

[SECURITY] CVE-2023-42795 Apache Tomcat - information disclosure
CVE-2023-42795 Apache Tomcat - information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93

Description:
When recycling various internal objects, including the request and
the response, prior to re-use by the next request/response, an error
could cause Tomcat to skip some parts of the recycling process
leading to information leaking from the current request/response to
the next.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M12 or later
- Upgrade to Apache Tomcat 10.1.14 or later
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later

Credit:
This vulnerability was idenitfied by the Tomcat security team.

History:
2023-10-10 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html


_____________________________________________________________________

[SECURITY] CVE-2023-42794 Apache Tomcat - denial of service
CVE-2023-42794 Apache Tomcat - denial of service

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.70 to 9.0.80
Apache Tomcat 8.5.85 to 8.5.93

Description:
Tomcat's internal fork of a Commons FileUpload included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.81 or later
- Upgrade to Apache Tomcat 8.5.94 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security
team by Mohammad Khedmatgozar (cellbox).

History:
2023-10-10 Original advisory

References:
[1] https://tomcat.apache.org/security-9.html
[2] https://tomcat.apache.org/security-8.html


_____________________________________________________________________

[ANN] Apache Tomcat 9.0.81 available
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.81.

Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 9.0.81 is a bugfix and feature release. The notable
changes compared to 9.0.80 include:

- Update Tomcat Native to 1.2.39 to pick up Windows binaries built
   with OpenSSL 3.0.11.

- Provide a lifecycle listener that will automatically reload TLS
    configurations a set time before the certificate is due to expire.
    This is intended to be used with third-party tools that regularly
    renew TLS certificates.

- Improve performance of EL expressions in JSPs that use implicit
    objects.

- Several improvements to thread safety and recycling cleanup.

Along with lots of other bug fixes and improvements.

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html


Downloads:
https://tomcat.apache.org/download-90.cgi

Migration guides from Apache Tomcat 7.x and 8.x:
https://tomcat.apache.org/migration.html

Enjoy!

- The Apache Tomcat team

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================