Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN114

_____________________________________________________________________

DATE                : 20/02/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Confluence Data Center, 
                  Confluence Server versions prior to 9.2.1, 8.5.19.

=====================================================================
https://jira.atlassian.com/browse/CONFSERVER-99215
https://jira.atlassian.com/browse/CONFSERVER-99216
_____________________________________________________________________

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina
Dependency in Confluence Data Center and Server


    Type:
    Icon: Public Security Vulnerability Public Security Vulnerability
    Resolution:
    Fixed
    Priority:
    Icon: Highest Highest
    Fix Version/s:
    9.2.1, 8.5.19
    Affects Version/s:
    6.10.0, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0,
      8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0
    Component/s:
    None
    Labels:
        advisory advisory-to-release dont-import security 

    CVSS Score:
    9.8
    CVSS Severity:
    Critical
    CVE ID:
    CVE-2024-50379
    Vulnerability Source:
    Atlassian (Internal)
    CVSSv3 Vector:
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Vulnerability Classes:
    RCE (Remote Code Execution)	
    Affected Product(s):
    Confluence Data Center, Confluence Server	

This Critical severity org.apache.tomcat:tomcat-catalina Dependency
vulnerability was introduced in version 6.10 of Confluence Data
Center and Server.

This org.apache.tomcat:tomcat-catalina Dependency vulnerability, with
a CVSS Score of 9.8 and a CVSS Vector of
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an
unauthenticated attacker to expose assets in your environment
susceptible to exploitation which has high impact to confidentiality,
high impact to integrity, high impact to availability, and requires
no user interaction.

Atlassian recommends that Confluence Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

    Confluence Data Center and Server 8.5: Upgrade to a release
greater than or equal to 8.5.19

    Confluence Data Center and Server 9.2: Upgrade to a release
greater than or equal to 9.2.1

See the release notes
(https://confluence.atlassian.com/doc/confluence-release-notes-327.html).
You can download the latest version of Confluence Data Center and
Server from the download center
(https://www.atlassian.com/software/confluence/download-archives).

The National Vulnerability Database provides the following description
for this vulnerability: Time-of-check Time-of-use (TOCTOU) Race
Condition vulnerability during JSP compilation in Apache Tomcat
permits an RCE on case insensitive file systems when the default
servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1,
from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or
9.0.98, which fixes the issue.

_____________________________________________________________________

RCE (Remote Code Execution) org.apache.tomcat:tomcat-catalina
Dependency in Confluence Data Center and Server


    Type:
    Icon: Public Security Vulnerability Public Security Vulnerability
    Resolution:
    Fixed
    Priority:
    Icon: Highest Highest
    Fix Version/s:
    9.2.1, 8.5.19
    Affects Version/s:
    6.10.0, 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0,
8.6.0, 8.8.0, 8.7.1, 8.9.0, 9.1.0, 9.0.1, 9.2.0
    Component/s:
    None
    Labels:
        advisory advisory-to-release dont-import security 

    CVSS Score:
    9.8
    CVSS Severity:
    Critical
    CVE ID:
    CVE-2024-56337
    Vulnerability Source:
    Atlassian (Internal)
    CVSSv3 Vector:
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Vulnerability Classes:
    RCE (Remote Code Execution)	
    Affected Product(s):
    Confluence Data Center, Confluence Server	

This Critical severity org.apache.tomcat:tomcat-catalina Dependency
vulnerability was introduced in version 6.10 of Confluence
Data Center and Server.

This org.apache.tomcat:tomcat-catalina Dependency vulnerability,
with a CVSS Score of 9.8 and a CVSS Vector of
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H allows an
unauthenticated attacker to expose assets in your environment
susceptible to exploitation which has high impact to confidentiality,
high impact to integrity, high impact to availability, and
requires no user interaction.

Atlassian recommends that Confluence Data Center and Server customers
upgrade to latest version, if you are unable to do so, upgrade your
instance to one of the specified supported fixed versions:

    Confluence Data Center and Server 8.5: Upgrade to a release
greater than or equal to 8.5.19

    Confluence Data Center and Server 9.2: Upgrade to a release
greater than or equal to 9.2.1

See the release notes
(https://confluence.atlassian.com/doc/confluence-release-notes-327.html).
You can download the latest version of Confluence Data Center and
Server from the download center
(https://www.atlassian.com/software/confluence/download-archives).

The National Vulnerability Database provides the following description
for this vulnerability: Time-of-check Time-of-use (TOCTOU) Race
Condition vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from
10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

The mitigation for CVE-2024-50379 was incomplete.

Users running Tomcat on a case insensitive file system with the
default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional
configuration to fully mitigate CVE-2024-50379 depending on which
version of Java they are using with Tomcat:

    running on Java 8 or Java 11: the system
property sun.io.useCanonCaches must be explicitly set to false
(it defaults to true)
    running on Java 17: the system property sun.io.useCanonCaches,
if set, must be set to false (it defaults to false)
    running on Java 21 onwards: no further configuration is required
(the system property and the problematic cache have been removed)

Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that
sun.io.useCanonCaches is set appropriately before allowing the
default servlet to be write enabled on a case insensitive file
system. Tomcat will also set sun.io.useCanonCaches to false by
default where it can.

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================