tomcat-9.0.62-27.el8_9.2
エラータID: AXSA:2024-7418:02
リリース日:
2024/01/18 Thursday - 04:37
題名:
tomcat-9.0.62-27.el8_9.2
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Tomcat には、ROOT (デフォルト) Web アプリケーションが
FORM 認証を使用している場合、リモートの攻撃者により、
巧妙に細工された URL を介して、オープンリダイレクト攻撃
を可能とする脆弱性が存在します。(CVE-2023-41080)
- Tomcat に包含されている Apache Commons FileUpload には、
ファイルのアップロード時にストリームを閉じることができなく
なる問題があるため、リモートの攻撃者により、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2023-42794)
- Tomcat の内部オブジェクトデータのリサイクル機能には、
処理の一部を意図せずスキップしてしまう問題があるため、
リモートの攻撃者により、現在処理中のリクエストや
レスポンスの内容を次に処理予定のリクエストやレスポンス
へ漏洩させてしまうことを可能とする脆弱性が存在します。
(CVE-2023-42795)
- Tomcat には、入力データの検証処理に問題があるため、
リモートの攻撃者により、巧妙に細工されたトレーラー
ヘッダーを介して、HTTP リクエストスマグリング攻撃を
可能とする脆弱性が存在します。(CVE-2023-45648)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-41080
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
CVE-2023-42794
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
CVE-2023-45648
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-9.0.62-27.el8_9.2.src.rpm
MD5: 7ee1f92919a60879c4019676d1594abe
SHA-256: 83ad5f3bc63161b2709e0349c052c2ce9da23f87d37117d679c0b69c8d3012ba
Size: 14.55 MB
Asianux Server 8 for x86_64
- tomcat-9.0.62-27.el8_9.2.noarch.rpm
MD5: e74642c95a70e0c45d8258d3ff947d58
SHA-256: 0970fc64501d914aca898540c4ae345b4ffc08595b8b790d00403c293b755897
Size: 90.64 kB - tomcat-admin-webapps-9.0.62-27.el8_9.2.noarch.rpm
MD5: bd632aa2a2c915c2f53818b8782ac148
SHA-256: 8bd2c035beae6f79eddf688989f92d6e93c9148f54197a3e05eac9006071e8f8
Size: 72.32 kB - tomcat-docs-webapp-9.0.62-27.el8_9.2.noarch.rpm
MD5: d4d73849c669de3c2b7a9fea95df0f0b
SHA-256: 398da8c47423b9995c55bd8a403d736f7216aca8dca24c78511d9554f8244087
Size: 728.60 kB - tomcat-el-3.0-api-9.0.62-27.el8_9.2.noarch.rpm
MD5: dda26eded85acf93e55522b5d74d3f48
SHA-256: 00cc1cfcd18f8f398556fa834a09594d73568ea15d7a256ab3f8c9204b819edf
Size: 105.50 kB - tomcat-jsp-2.3-api-9.0.62-27.el8_9.2.noarch.rpm
MD5: d36c881b043946a1b4a33b7221b37f8f
SHA-256: 4c3f0c1bd33a4591dc31425b3024d52ba4901b2eaf5c0f69147a9135a7f910dc
Size: 64.36 kB - tomcat-lib-9.0.62-27.el8_9.2.noarch.rpm
MD5: ce17bc5a15825a7c7d06815e74938a64
SHA-256: 37e1c377df2f6989fb2137904193cb02894ce2bbe143d1dc8676bd26901125b4
Size: 5.90 MB - tomcat-servlet-4.0-api-9.0.62-27.el8_9.2.noarch.rpm
MD5: 2f174279700cdbfc6f902a10f6c03082
SHA-256: 2827fe6e993a4b7e4260f48594eaa51884e730505bab0e2b39ed141a484e85d8
Size: 285.42 kB - tomcat-webapps-9.0.62-27.el8_9.2.noarch.rpm
MD5: 79fde0b038c346be839019c11d187edf
SHA-256: 658886913c4244c88ecee8c9ba3cdca037a9d16ab8a1dfae287f80a6788eb5b8
Size: 79.73 kB