Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 801916 (CVE-2021-30639, CVE-2021-30640, CVE-2021-33037) - <www-servers/tomcat-{7.0.109,8.5.68,9.0.48,10.0.7}: multiple vulnerabilities (CVE-2021-{30639,30640,33037})
Summary: <www-servers/tomcat-{7.0.109,8.5.68,9.0.48,10.0.7}: multiple vulnerabilities ...
Status: RESOLVED FIXED
Alias: CVE-2021-30639, CVE-2021-30640, CVE-2021-33037
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-12 17:06 UTC by John Helmert III
Modified: 2022-08-21 02:14 UTC (History)
2 users (show)

See Also:
Package list:
www-servers/tomcat-8.5.69 amd64 dev-java/tomcat-servlet-api-8.5.69
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 17:06:23 UTC
CVE-2021-30639 (https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E):

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

CVE-2021-30640 (https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E):

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

CVE-2021-33037 (https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E):

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.


Fixes in 7.0.109, 8.5.68, 9.0.48, and 10.0.7, so please stabilize 8.5.68 and
cleanup the 9.x and 10.x branches.
Comment 1 NATTkA bot gentoo-dev 2021-07-12 17:24:22 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-12 18:04:22 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:44:58 UTC
x86 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:56:10 UTC
arm64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 21:56:41 UTC
ppc64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-12 22:08:59 UTC
amd64 done

all arches done
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 00:14:51 UTC
Please cleanup, thanks!
Comment 8 Larry the Git Cow gentoo-dev 2021-07-13 04:26:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6326289a0137c5d8e7e145a0147ae389f91dba63

commit 6326289a0137c5d8e7e145a0147ae389f91dba63
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-07-13 04:25:22 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-13 04:26:29 +0000

    www-servers/tomcat: removed vulnerable 8.5.66
    
    Bug: https://bugs.gentoo.org/801916
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 www-servers/tomcat/Manifest             |   1 -
 www-servers/tomcat/tomcat-8.5.66.ebuild | 159 --------------------------------
 2 files changed, 160 deletions(-)
Comment 9 Miroslav Šulc gentoo-dev 2021-07-13 04:27:12 UTC
the tree is clean now, you can proceed
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-13 14:57:33 UTC
Thank you!
Comment 11 NATTkA bot gentoo-dev 2021-08-10 04:32:25 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-08-12 05:36:24 UTC Comment hidden (obsolete)
Comment 13 NATTkA bot gentoo-dev 2021-10-02 17:28:34 UTC
Unable to check for sanity:

> no match for package: www-servers/tomcat-8.5.69
Comment 14 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 01:40:12 UTC
GLSA request filed
Comment 15 Larry the Git Cow gentoo-dev 2022-08-21 02:09:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=a4afff138b8507c9b0b4fdbebda4c8d1935d6238

commit a4afff138b8507c9b0b4fdbebda4c8d1935d6238
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-21 01:35:21 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-21 01:40:47 +0000

    [ GLSA 202208-34 ] Apache Tomcat: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773571
    Bug: https://bugs.gentoo.org/801916
    Bug: https://bugs.gentoo.org/818160
    Bug: https://bugs.gentoo.org/855971
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-34.xml | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)
Comment 16 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-21 02:14:21 UTC
GLSA released, all done!