[ https://issues.apache.org/jira/browse/OFBIZ-12280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17379269#comment-17379269 ]
ASF subversion and git services commented on OFBIZ-12280: --------------------------------------------------------- Commit 2e88059bfc96494af4447693b28de5a2f1c9f2ed in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=2e88059 ] Fixed: Upgrades Tomcat from 9.0.43 to 9.0.48 (OFBIZ-12280) Due to CVEs-2021-30037/30639/30640 > Upgrade Tomcat from 9.0.43 to 9.0.48 (due to CVEs-2021-30037/30639/30640) > ------------------------------------------------------------------------- > > Key: OFBIZ-12280 > URL: https://issues.apache.org/jira/browse/OFBIZ-12280 > Project: OFBiz > Issue Type: Bug > Components: framework, Gradle > Affects Versions: Trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.01, Release Branch 17.12 > > > h1. CVE-2021-33037 HTTP request smuggling > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.6 > Apache Tomcat 9.0.0.M1 to 9.0.46 > Apache Tomcat 8.5.0 to 8.5.66 > Description: > Apache Tomcat did not correctly parse the HTTP transfer-encoding request > header in some circumstances leading to the possibility to request smuggling > when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the > transfer-encoding header if the client declared it would only accept an > HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not > ensure that, if present, the chunked encoding was the final encoding.</p> > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 10.0.7 or later > - Upgrade to Apache Tomcat 9.0.48 or later > - Upgrade to Apache Tomcat 8.5.68 or later > Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for > those versions did not pass. > h1. CVE-2021-30639 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.3 to 10.0.4 > Apache Tomcat 9.0.44 > Apache Tomcat 8.5.64 > Description: > An error introduced as part of a change to improve error handling during > non-blocking I/O meant that the error flag associated with the Request object > was not reset between requests. This meant that once a non-blocking I/O error > occurred, all future requests handled by that request object would fail. > Users were able to trigger non-blocking I/O errors, e.g. by dropping a > connection, thereby creating the possibility of triggering a DoS. > Applications that do not use non-blocking I/O are not exposed to this > vulnerability. > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 10.0.5 or later > - Upgrade to Apache Tomcat 9.0.45 or later > - Upgrade to Apache Tomcat 8.5.65 or later > h1. CVE-2021-30640 JNDI Realm Authentication Weakness > Severity: Low > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.5 > Apache Tomcat 9.0.0.M1 to 9.0.45 > Apache Tomcat 8.5.0 to 8.5.65 > Apache Tomcat 7.0.0 to 7.0.108 > Description: > Queries made by the JNDI Realm did not always correctly escape parameters. > Parameter values could be sourced from user provided data (eg user names) as > well as configuration data provided by an administrator. > In limited circumstances it was possible for users to authenticate using > variations of their user name and/or to bypass some of the protection > provided by the LockOut Realm. > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 10.0.6 or later > - Upgrade to Apache Tomcat 9.0.46 or later > - Upgrade to Apache Tomcat 8.5.66 or later > - Upgrade to Apache Tomcat 7.0.109 or later > History: > 2021-07-12 Original advisory > References: > [1] https://tomcat.apache.org/security-10.html > [2] https://tomcat.apache.org/security-9.html > [3] https://tomcat.apache.org/security-8.html > [4] https://tomcat.apache.org/security-7.html -- This message was sent by Atlassian Jira (v8.3.4#803005)