Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
On 29/06/2023 14:24, George Angeletos wrote: Hello, I presume this only affects setups using AJP connectors - right? Correct. Mark Thanks George On Wed, 21 Jun 2023 at 13:21, Mark Thomas wrote: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M6 or later - Upgrade to Apache Tomcat 10.1.9 or later - Upgrade to Apache Tomcat 9.0.75 or later - Upgrade to Apache Tomcat 8.5.89 or later Credit: Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc. History: 2023-06-21 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Hello, I presume this only affects setups using AJP connectors - right? Thanks George On Wed, 21 Jun 2023 at 13:21, Mark Thomas wrote: > CVE-2023-34981 Apache Tomcat - Information disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 11.0.0-M5 > Apache Tomcat 10.1.8 > Apache Tomcat 9.0.74 > Apache Tomcat 8.5.88 > > Description: > The fix for bug 66512 introduced a regression that was fixed as bug > 66591. The regression meant that, if a response did not have any HTTP > headers set, no AJP SEND_HEADERS message would be sent which in turn > meant that at least one AJP based proxy (mod_proxy_ajp) would use the > response headers from the previous request for the current request > leading to an information leak. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 11.0.0-M6 or later > - Upgrade to Apache Tomcat 10.1.9 or later > - Upgrade to Apache Tomcat 9.0.75 or later > - Upgrade to Apache Tomcat 8.5.89 or later > > Credit: > Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc. > > History: > 2023-06-21 Original advisory > > References: > [1] https://tomcat.apache.org/security-11.html > [2] https://tomcat.apache.org/security-10.html > [3] https://tomcat.apache.org/security-9.html > [4] https://tomcat.apache.org/security-8.html > [5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512 > [6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591 > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
RE: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Now that is what I call proactive! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: James H. H. Lampert > Sent: Thursday, June 22, 2023 10:25 AM > To: Tomcat Users List > Subject: Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information > disclosure > Importance: High > > Funny thing: we recently needed to update a customer's Tomcat because > they were complaining about a security issue that had prompted 8.5.88. > > And by the time we got the update request, 8.5.89 was already out, but we > hadn't yet heard of CVE-2023-34981. > > So we'd already skipped over 8.5.88 before we were even aware that it had a > problem. > > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Funny thing: we recently needed to update a customer's Tomcat because they were complaining about a security issue that had prompted 8.5.88. And by the time we got the update request, 8.5.89 was already out, but we hadn't yet heard of CVE-2023-34981. So we'd already skipped over 8.5.88 before we were even aware that it had a problem. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
On 22/06/2023 00:17, Stefan Mayr wrote: Hi, Am 21.06.2023 um 12:20 schrieb Mark Thomas: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. > ... Are setups with mod_jk also affected? Almost certainly but it wasn't explicitly tested. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
Hi, Am 21.06.2023 um 12:20 schrieb Mark Thomas: CVE-2023-34981 Apache Tomcat - Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M5 Apache Tomcat 10.1.8 Apache Tomcat 9.0.74 Apache Tomcat 8.5.88 Description: The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. > ... Are setups with mod_jk also affected? Thanks, Stefan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org