Re: Inquiry about CVE-2024-5535 Vulnerability in Tomcat 10.1.20 Version

Sat, 06 Jul 2024 10:22:47 -0700 

Peyton,

On 7/6/24 00:08, Zhong, Peyton wrote:

I am writing to inquire about the potential impact of the recently detected critical 
vulnerability: CVE-2024-5535<https://nvd.nist.gov/vuln/detail/CVE-2024-5535> 
(9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. According 
to Black Duck Binary Analysis (BDBA) scans, this vulnerability has been identified 
within the Tomcat 10.1.20 version. There are other detected vulnerabilities inside 
OpenSSL on Tomcat, such as CVE-2024-4603, CVE-2024-2511.

The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll

Given this disconcerting discovery, we are seeking clarification on how 
CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost importance 
for us to understand the implications of this vulnerability and to identify any 
available mitigations or patches to address this issue.

Your prompt attention to this matter is highly valued, and we would be grateful 
for any assistance or guidance you can provide to help us navigate this 
potential security concern.

Thank you for your time and consideration.
Official Tomcat distributions from ASF ship with a statically-linked OpenSSL DLL for Windows. Those DLLs come from the Tomcat-Native project. Each release of Tomcat Native includes the most-recent version of OpenSSL at the time of its release. Often, Tomcat Native releases are tied to important OpenSSL releases for this reason (convenience statically-linked binary for Windows).
You can upgrade (almost) any Tomcat installation with (almost) any newer version of Tomcat Native you wish. It would probably be better to simply upgrade Tomcat itself which will include the latest version of Tomcat Native at the time of release.
It seems there is a new OpenSSL release 3.0.14 while Tomcats and Tomcat Natives after ~Feb 2024 include OpenSSL 3.0.13.
If you are not using Windows, then you can safely remove this file. If you are not using TLS, you can most likely safely remove this file. If you are not using Tomcat Native, then you can safely remove tcnative-2.dll from your environment. If you are not sure if tcnative is being used in your environment, you should find someone who is sure. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to