[
https://issues.apache.org/jira/browse/OFBIZ-12280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17379252#comment-17379252
]
ASF subversion and git services commented on OFBIZ-12280:
---------------------------------------------------------
Commit 1f71cfec9ef26c186e9119ba2e9bd670a1cf7770 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=1f71cfe ]
Fixed: Upgrades Tomcat from 9.0.43 to 9.0.48 (due to
CVEs-2021-30037/30639/30640) (OFBIZ-12280)
> Upgrade Tomcat from 9.0.43 to 9.0.48 (due to CVEs-2021-30037/30639/30640)
> -------------------------------------------------------------------------
>
> Key: OFBIZ-12280
> URL: https://issues.apache.org/jira/browse/OFBIZ-12280
> Project: OFBiz
> Issue Type: Bug
> Components: framework, Gradle
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.01, Release Branch 17.12
>
>
> h1. CVE-2021-33037 HTTP request smuggling
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.6
> Apache Tomcat 9.0.0.M1 to 9.0.46
> Apache Tomcat 8.5.0 to 8.5.66
> Description:
> Apache Tomcat did not correctly parse the HTTP transfer-encoding request
> header in some circumstances leading to the possibility to request smuggling
> when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the
> transfer-encoding header if the client declared it would only accept an
> HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not
> ensure that, if present, the chunked encoding was the final encoding.</p>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.7 or later
> - Upgrade to Apache Tomcat 9.0.48 or later
> - Upgrade to Apache Tomcat 8.5.68 or later
> Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for
> those versions did not pass.
> h1. CVE-2021-30639 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.3 to 10.0.4
> Apache Tomcat 9.0.44
> Apache Tomcat 8.5.64
> Description:
> An error introduced as part of a change to improve error handling during
> non-blocking I/O meant that the error flag associated with the Request object
> was not reset between requests. This meant that once a non-blocking I/O error
> occurred, all future requests handled by that request object would fail.
> Users were able to trigger non-blocking I/O errors, e.g. by dropping a
> connection, thereby creating the possibility of triggering a DoS.
> Applications that do not use non-blocking I/O are not exposed to this
> vulnerability.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.5 or later
> - Upgrade to Apache Tomcat 9.0.45 or later
> - Upgrade to Apache Tomcat 8.5.65 or later
> h1. CVE-2021-30640 JNDI Realm Authentication Weakness
> Severity: Low
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.5
> Apache Tomcat 9.0.0.M1 to 9.0.45
> Apache Tomcat 8.5.0 to 8.5.65
> Apache Tomcat 7.0.0 to 7.0.108
> Description:
> Queries made by the JNDI Realm did not always correctly escape parameters.
> Parameter values could be sourced from user provided data (eg user names) as
> well as configuration data provided by an administrator.
> In limited circumstances it was possible for users to authenticate using
> variations of their user name and/or to bypass some of the protection
> provided by the LockOut Realm.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.6 or later
> - Upgrade to Apache Tomcat 9.0.46 or later
> - Upgrade to Apache Tomcat 8.5.66 or later
> - Upgrade to Apache Tomcat 7.0.109 or later
> History:
> 2021-07-12 Original advisory
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
> [4] https://tomcat.apache.org/security-7.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
