Errata ALT-PU-2023-8058-1: Information
Fixes
Published: April 28, 2022
BDU:2022-03434
Уязвимость реализации класса EncryptInterceptor сервера приложений Apache Tomcat, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: June 23, 2022
BDU:2022-03746
Уязвимость в примерах проверки подлинности с помощью форм в примерах веб-приложений сервера приложений Apache Tomcat, позволяющая нарушителю провести атаку межсайтового скриптинга
Severity: MEDIUM (6.1) Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Links:
Published: Oct. 31, 2022
BDU:2022-07501
Уязвимость реализации атрибута rejectIllegalHeader сервера приложений Apache Tomcat, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
Published: Aug. 25, 2023
BDU:2023-04989
Уязвимость сервера приложений Apache Tomcat, связанная с переадресацией URL на ненадежный сайт, позволяющая нарушителю перенаправить пользователя на произвольный URL-адрес
Severity: MEDIUM (4.8) Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Links:
Published: Oct. 10, 2023
BDU:2023-06559
Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
Published: Oct. 10, 2023
BDU:2023-06728
Уязвимость сервера приложений Apache Tomcat существует из-за неполной очистки временных или вспомогательных ресурсов, позволяющая нарушителю раскрыть защищаемую информацию
Severity: HIGH (7.5) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Links:
Published: Oct. 10, 2023
BDU:2023-07041
Уязвимость сервера приложений Apache Tomcat, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (5.3) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Links:
Published: Sept. 28, 2022
Modified: Nov. 10, 2022
Modified: Nov. 10, 2022
CVE-2021-43980
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Severity: LOW (3.7) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Links:
Published: May 12, 2022
Modified: April 6, 2023
Modified: April 6, 2023
CVE-2022-29885
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://lists.apache.org/thread/2b4qmhbcyqvc7dyfpjyx54c03x65vhcv
- https://security.netapp.com/advisory/ntap-20220629-0002/
- https://www.oracle.com/security-alerts/cpujul2022.html
- [debian-lts-announce] 20221026 [SECURITY] [DLA 3160-1] tomcat9 security update
- DSA-5265
- http://packetstormsecurity.com/files/171728/Apache-Tomcat-10.1-Denial-Of-Service.html
Published: June 23, 2022
Modified: Oct. 27, 2022
Modified: Oct. 27, 2022
CVE-2022-34305
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Links:
Published: Nov. 1, 2022
Modified: May 30, 2023
Modified: May 30, 2023
CVE-2022-42252
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
Published: Jan. 3, 2023
Modified: June 27, 2023
Modified: June 27, 2023
CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Links:
Published: March 22, 2023
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Links:
Published: Aug. 26, 2023
Modified: Nov. 3, 2023
Modified: Nov. 3, 2023
CVE-2023-41080
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Links:
Published: Oct. 10, 2023
Modified: Nov. 4, 2023
Modified: Nov. 4, 2023
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Links:
- https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw
- http://www.openwall.com/lists/oss-security/2023/10/10/9
- https://www.debian.org/security/2023/dsa-5522
- https://www.debian.org/security/2023/dsa-5521
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.netapp.com/advisory/ntap-20231103-0007/
Published: Oct. 10, 2023
Modified: April 26, 2024
Modified: April 26, 2024
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Links:
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://news.ycombinator.com/item?id=37831062
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://github.com/bcdannyboy/CVE-2023-44487
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/alibaba/tengine/issues/1872
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/nghttp2/nghttp2/pull/1961
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830998
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://my.f5.com/manage/s/article/K000137106
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://github.com/micrictor/http2-rst-stream
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/dotnet/announcements/issues/277
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/facebook/proxygen/pull/466
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://github.com/nodejs/node/pull/50121
- https://github.com/h2o/h2o/pull/3291
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://github.com/golang/go/issues/63417
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://news.ycombinator.com/item?id=37837043
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/kazu-yamamoto/http2/issues/93
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- DSA-5522
- DSA-5521
- https://blog.vespa.ai/cve-2023-44487/
- https://github.com/tempesta-tech/tempesta/issues/1986
- https://ubuntu.com/security/CVE-2023-44487
- https://access.redhat.com/security/cve/cve-2023-44487
- https://github.com/junkurihara/rust-rpxy/issues/97
- https://istio.io/latest/news/security/istio-security-2023-004/
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803
- https://github.com/etcd-io/etcd/issues/16740
- https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
- https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
- https://github.com/advisories/GHSA-qppj-fm5r-hxr3
- https://bugzilla.suse.com/show_bug.cgi?id=1216123
- https://github.com/ninenines/cowboy/issues/1615
- https://github.com/varnishcache/varnish-cache/issues/3996
- https://github.com/apache/httpd-site/pull/10
- https://github.com/line/armeria/pull/5232
- https://github.com/projectcontour/contour/pull/5826
- https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
- https://github.com/akka/akka-http/issues/4323
- https://github.com/apache/apisix/issues/10320
- https://github.com/openresty/openresty/issues/930
- https://github.com/Azure/AKS/issues/3947
- https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
- https://security.paloaltonetworks.com/CVE-2023-44487
- https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
- https://github.com/Kong/kong/discussions/11741
- https://github.com/caddyserver/caddy/releases/tag/v2.7.5
- [debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
- https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update
- https://security.netapp.com/advisory/ntap-20231016-0001/
- [debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update
- [oss-security] 20231018 Vulnerability in Jenkins
- [oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST
- [oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
- [debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update
- DSA-5540
- [debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update
- https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
- [debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update
- DSA-5549
- FEDORA-2023-ed2642fd58
- FEDORA-2023-54fadada12
- FEDORA-2023-5ff7bf1dd8
- FEDORA-2023-17efd3f2cd
- FEDORA-2023-d5030c983c
- FEDORA-2023-0259c3f26f
- FEDORA-2023-2a9214af5f
- FEDORA-2023-e9c04d81c1
- FEDORA-2023-f66fc0f62a
- FEDORA-2023-4d2fd884ea
- FEDORA-2023-b2c50535cb
- FEDORA-2023-fe53e13b5b
- FEDORA-2023-4bf641255e
- FEDORA-2023-1caffb88af
- FEDORA-2023-3f70b8d406
- FEDORA-2023-7b52921cae
- FEDORA-2023-7934802344
- FEDORA-2023-dbe64661af
- FEDORA-2023-822aab0a5a
- FEDORA-2023-c0c6a91330
- FEDORA-2023-492b7be466
- DSA-5558
- [debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update
- GLSA-202311-09
- DSA-5570
- https://security.netapp.com/advisory/ntap-20240426-0007/
Published: Oct. 10, 2023
Modified: Nov. 4, 2023
Modified: Nov. 4, 2023
CVE-2023-45648
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
Severity: MEDIUM (5.3) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Links:
- https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
- http://www.openwall.com/lists/oss-security/2023/10/10/10
- https://www.debian.org/security/2023/dsa-5522
- https://www.debian.org/security/2023/dsa-5521
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.netapp.com/advisory/ntap-20231103-0007/
Published: Nov. 28, 2023
Modified: Jan. 5, 2024
Modified: Jan. 5, 2024
CVE-2023-46589
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Links: