Cherish the word as gold. Regards, r00t4dm Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department
> 2021年3月5日 下午5:48,Mark Thomas <ma...@apache.org> 写道: > > On 05/03/2021 08:20, Kursu, Teemu wrote: >> Hi, >> Just to make sure that I understand this correctly. Does this vulnerability >> affect in both http1.1 and http2 protocols? > > No. > >> I mean is this vulnerability still relevant if HTTP Upgrade Protocol is not >> implemented in server.xml? > > No. > > Mark > >> Regards, >> Teemu Kursu >> -----Original Message----- >> From: Mark Thomas <ma...@apache.org> >> Sent: maanantai 1. maaliskuuta 2021 13.05 >> To: Tomcat Users List <users@tomcat.apache.org> >> Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat Developers List >> <d...@tomcat.apache.org> >> Subject: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up >> CVE-2021-25122 h2c request mix-up >> Severity: Important >> Vendor: The Apache Software Foundation >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0 >> Apache Tomcat 9.0.0.M1 to 9.0.41 >> Apache Tomcat 8.5.0 to 8.5.61 >> Description: >> When responding to new h2c connection requests, Apache Tomcat could >> duplicate request headers and a limited amount of request body from one >> request to another meaning user A and user B could both see the results of >> user A's request. >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Upgrade to Apache Tomcat 10.0.2 or later >> - Upgrade to Apache Tomcat 9.0.43 or later >> - Upgrade to Apache Tomcat 8.5.63 or later >> Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes >> for those versions did not pass. >> Credit: >> This issue was identified by the Apache Tomcat Security Team. >> History: >> 2021-03-01 Original advisory >> References: >> [1] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-10.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTy9fRppI$ >> [2] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTIcr_boE$ >> [3] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-8.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTo3daRfo$ >> [4] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-7.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTaVldwns$ >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
