Amazon Linux 2023 Security Advisory: ALAS-2023-059
Advisory Release Date: 2023-02-17 20:45 Pacific
Advisory Updated Date: 2024-02-15 02:51 Pacific
2024-02-15: CVE-2021-33037 was added to this advisory.
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (CVE-2021-33037)
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)
Affected Packages:
tomcat9
Issue Correction:
Run dnf update tomcat9 --releasever=2023.0.20230222 to update your system.
noarch:
tomcat9-lib-9.0.64-1.amzn2023.0.2.noarch
tomcat9-jsp-2.3-api-9.0.64-1.amzn2023.0.2.noarch
tomcat9-servlet-4.0-api-9.0.64-1.amzn2023.0.2.noarch
tomcat9-admin-webapps-9.0.64-1.amzn2023.0.2.noarch
tomcat9-webapps-9.0.64-1.amzn2023.0.2.noarch
tomcat9-el-3.0-api-9.0.64-1.amzn2023.0.2.noarch
tomcat9-9.0.64-1.amzn2023.0.2.noarch
tomcat9-docs-webapp-9.0.64-1.amzn2023.0.2.noarch
src:
tomcat9-9.0.64-1.amzn2023.0.2.src