tomcat-9.0.62-37.el9_3.1
エラータID: AXSA:2024-7474:03
リリース日:
2024/01/29 Monday - 21:01
題名:
tomcat-9.0.62-37.el9_3.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Tomcat には、ROOT (デフォルト) Web アプリケーションが
FORM 認証を使用している場合、リモートの攻撃者により、巧妙
に細工された URL を介して、オープンリダイレクト攻撃を可能
とする脆弱性が存在します。(CVE-2023-41080)
- Tomcat に包含されている Apache Commons FileUpload には、
ファイルのアップロード時にストリームを閉じることができなく
なる問題があるため、リモートの攻撃者により、サービス拒否
攻撃を可能とする脆弱性が存在します。(CVE-2023-42794)
- Tomcat の内部オブジェクトデータのリサイクル機能には、
処理の一部を意図せずスキップしてしまう問題があるため、
リモートの攻撃者により、現在処理中のリクエストやレスポンス
の内容を次に処理予定のリクエストやレスポンスへ漏洩させて
しまうことを可能とする脆弱性が存在します。
(CVE-2023-42795)
- Tomcat には、入力データの検証処理に問題があるため、
リモートの攻撃者により、巧妙に細工されたトレーラーヘッダー
を介して、HTTP リクエストスマグリング攻撃を可能とする
脆弱性が存在します。(CVE-2023-45648)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-41080
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
CVE-2023-42794
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
CVE-2023-45648
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-9.0.62-37.el9_3.1.src.rpm
MD5: 3d7613c14c6dfabf7b61d8d712cc7135
SHA-256: 9924752e9c9f55948e265d20e21efa817d30517ee7a3b72554ea5de6cb74e41c
Size: 14.56 MB
Asianux Server 9 for x86_64
- tomcat-9.0.62-37.el9_3.1.noarch.rpm
MD5: d9d7ee39c541efae06284809114dbda4
SHA-256: bcbe2092dd68c16f3da6c372b3baaf29252b3629abff8476dde8f416381525f9
Size: 96.94 kB - tomcat-admin-webapps-9.0.62-37.el9_3.1.noarch.rpm
MD5: 87526b6597561b11f90885a4466ca9be
SHA-256: 8bc1d0660849fc6928f012316726ee94ccc450105697437ce8a23b9fb54971aa
Size: 78.53 kB - tomcat-docs-webapp-9.0.62-37.el9_3.1.noarch.rpm
MD5: a9b45d7c2bd0c8d5f9f74d3183ce3af6
SHA-256: e47699fbb1da40a1fe9f4ae3b950adb4ba632b266c33b27b397392adec7b9933
Size: 703.31 kB - tomcat-el-3.0-api-9.0.62-37.el9_3.1.noarch.rpm
MD5: 3c5a6100a76e9ca75a4c340828e91afb
SHA-256: c72f432c4264b6464b894938aac6f9c7d635a98fa49d4ed73cae68d3dc45b9d8
Size: 104.43 kB - tomcat-jsp-2.3-api-9.0.62-37.el9_3.1.noarch.rpm
MD5: 144fc464d2e7eba19c9e49d8e4b9eccf
SHA-256: 0704291fa514eb5311b81b7bc36ea86d310fd418acbe2ba5b46a2ba86194e0b0
Size: 64.34 kB - tomcat-lib-9.0.62-37.el9_3.1.noarch.rpm
MD5: 63d05b207ea031c508f1c8259bdaddb2
SHA-256: 46a54baf1acfba81304411b9790e07c3b3f7f78fa9a07de73471972685681e2d
Size: 5.83 MB - tomcat-servlet-4.0-api-9.0.62-37.el9_3.1.noarch.rpm
MD5: ec9ccbad996b51abbb732b34c0dcb408
SHA-256: 36bde66154511ec26bf06b72f6694a4f0896d34da0a2be20e50891d60f7c91d3
Size: 282.82 kB - tomcat-webapps-9.0.62-37.el9_3.1.noarch.rpm
MD5: 792765571ae64908e2ea9a52245f74db
SHA-256: 85c39470e9e67aaa546f148aeb861dc1cd945c27fb999ec44401d2081dff9b38
Size: 79.38 kB