On 21/03/2022 16:26, Matthew Mellon wrote:
Tomcat 8.5.77 was published on March 17. The Windows distribution
contains tcnative-1.dll, version 1.2.31.
Tcnative-1.dll appears to be statically linked to OpenSSL, and was built
in 2021, prior to the fix for CVE-2022-0778 being published by OpenSSL.
The tcnative source tree was updated to “recommend” a new version of
OpenSSL six days ago, but the DLL in the 8.5.77 release doesn’t appear
to have been built with this change.
I believe this means that if an APR connector is enabled, that the
Windows distribution of Tomcat 8.5.77 is exposed to a pretty severe DOS
attack vector. I emailed secur...@tomcat.apache.org
<mailto:secur...@tomcat.apache.org> about this, believing that that was
the responsible way to bring this to light, but received a pretty nasty
email in response that told me that this mailing list was the correct forum.
CVE-2022-0778 is public. You posted a question to the Apache Tomcat
security team that did not concern an undisclosed security vulnerability
in Apache Tomcat. This happens sufficiently often that we have a canned
response for when this happens. For the record this is the content of
that canned response:
<quote>
To whom it may concern,
You recently contacted the Apache Tomcat security team. As explained
in [1], the e-mail address you used should only be used for
reporting undisclosed security vulnerabilities in Apache Tomcat and
managing the process of fixing such vulnerabilities. Your e-mail does
not meet that criteria.
You may wish read some information on how the ASF works [2] before
proceeding with your enquiry via the appropriate channel which will
almost certainly be the Apache Tomcat users mailing list. [3]
The Apache Tomcat security team
[1] http://tomcat.apache.org/security.html
[2] http://apache.org/foundation/how-it-works.html
[3] https://tomcat.apache.org/lists.html#tomcat-users
</quote>
Would it be possible to get a canonical version of Tomcat (e.g. 8.5.78)
built that contains the remediation for CVE-2022-0778?
There is a Tomcat Native 1.2.32 release in progress at the moment that
includes convenience Windows binaries built with OpenSSL 1.1.1n.
That release vote looks like it is going to pass so that release should
be available on the download pages sometime tomorrow.
Tomcat releases are usually monthly with the process starting at the
beginning of the month. I'd therefore expect to see an 8.5.78 release
roughly around the second week of April that included the Tomcat Native
1.2.32 release.
Is there anything I can do to help?
Test the Tomcat Native 1.2.32 release. Details on the dev@ list.
The changes since 1.2.31 are minor and don't include any code changes so
the likelihood of a regression is low. However, the more people that
test a release and VOTE on it the better.
Test the 8.5.78 release when it happens. Watch the dev@ list for details.
Some other options:
Disable the APR/Native library so Tomcat uses NIO+JSSE instead.
Update to Tomcat Native 1.2.32 once released (single DLL for Windows
that is a drop-in replacement).
Build 1.2.31 from source using OpenSSL 1.1.1n. The build process we use
is documented at [1]. The hoop jumping is mainly to ensure that the
resulting binaries will run on all currently supported Windows versions
without requiring that additional run times etc are installed. Given
that 1.2.32 is so close to release, it may not be worth the time
required to follow this option.
Mark
[1]
https://cwiki.apache.org/confluence/display/TOMCAT/Building+the+Tomcat+Native+Connector+binaries+for+Windows
*Matthew Mellon **CISSP**
*/Chief Information Security Officer/
828.265.2907 ext 5058 | www.ecrs.com <https://www.ecrs.com/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
