===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.07.13.0809
Apache Tomcat: Multiple vulnerabilities
13th July 2021
===========================================================================
Product: Apache Tomcat
Publisher: The Apache Software Foundation
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639
Original Bulletin:
https://tomcat.apache.org/security-10.html
Comment: This advisory references vulnerabilities in products which run on multiple platforms.
It is recommended that administrators running Apache Tomcat check for an updated
version of the software for their operating system.
This bulletin contains three (3) Apache security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
CVE-2021-30639 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.3 to 10.0.4
Apache Tomcat 9.0.44
Apache Tomcat 8.5.64
Description:
An error introduced as part of a change to improve error handling during
non-blocking I/O meant that the error flag associated with the Request
object was not reset between requests. This meant that once a
non-blocking I/O error occurred, all future requests handled by that
request object would fail. Users were able to trigger non-blocking I/O
errors, e.g. by dropping a connection, thereby creating the possibility
of triggering a DoS.
Applications that do not use non-blocking I/O are not exposed to this
vulnerability.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 10.0.5 or later
- - Upgrade to Apache Tomcat 9.0.45 or later
- - Upgrade to Apache Tomcat 8.5.65 or later
History:
2021-07-12 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
- ------------------------------------------------------------------------------
CVE-2021-30640 JNDI Realm Authentication Weakness
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.5
Apache Tomcat 9.0.0.M1 to 9.0.45
Apache Tomcat 8.5.0 to 8.5.65
Apache Tomcat 7.0.0 to 7.0.108
Description:
Queries made by the JNDI Realm did not always correctly escape
parameters. Parameter values could be sourced from user provided data
(eg user names) as well as configuration data provided by an administrator.
In limited circumstances it was possible for users to authenticate using
variations of their user name and/or to bypass some of the protection
provided by the LockOut Realm.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 10.0.6 or later
- - Upgrade to Apache Tomcat 9.0.46 or later
- - Upgrade to Apache Tomcat 8.5.66 or later
- - Upgrade to Apache Tomcat 7.0.109 or later
History:
2021-07-12 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html
- ------------------------------------------------------------------------------
CVE-2021-33037 HTTP request smuggling
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.6
Apache Tomcat 9.0.0.M1 to 9.0.46
Apache Tomcat 8.5.0 to 8.5.66
Description:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: Tomcat
incorrectly ignored the transfer-encoding header if the client declared
it would only accept an HTTP/1.0 response; Tomcat honoured the identify
encoding; and Tomcat did not ensure that, if present, the chunked
encoding was the final encoding.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- - Upgrade to Apache Tomcat 10.0.7 or later
- - Upgrade to Apache Tomcat 9.0.48 or later
- - Upgrade to Apache Tomcat 8.5.68 or later
Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for
those versions did not pass.
History:
2021-07-12 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT