Amazon Linux 2 Security Advisory: ALASTOMCAT8.5-2023-010
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:58 Pacific
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. (CVE-2021-24122)
Affected Packages:
tomcat
Note:
This advisory is applicable to Amazon Linux 2 - Tomcat8.5 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update tomcat to update your system.
noarch:
tomcat-8.5.60-1.amzn2.noarch
tomcat-admin-webapps-8.5.60-1.amzn2.noarch
tomcat-docs-webapp-8.5.60-1.amzn2.noarch
tomcat-javadoc-8.5.60-1.amzn2.noarch
tomcat-jsvc-8.5.60-1.amzn2.noarch
tomcat-jsp-2.3-api-8.5.60-1.amzn2.noarch
tomcat-lib-8.5.60-1.amzn2.noarch
tomcat-servlet-3.1-api-8.5.60-1.amzn2.noarch
tomcat-el-3.0-api-8.5.60-1.amzn2.noarch
tomcat-webapps-8.5.60-1.amzn2.noarch
src:
tomcat-8.5.60-1.amzn2.src