On 06/07/2024 05:08, Zhong, Peyton wrote:
Dear Tomcat Community,
I am writing to inquire about the potential impact of the recently detected critical
vulnerability: CVE-2024-5535<https://nvd.nist.gov/vuln/detail/CVE-2024-5535>
(9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. According
to Black Duck Binary Analysis (BDBA) scans, this vulnerability has been identified
within the Tomcat 10.1.20 version. There are other detected vulnerabilities inside
OpenSSL on Tomcat, such as CVE-2024-4603
The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll
Given this disconcerting discovery, we are seeking clarification on how
CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost importance
for us to understand the implications of this vulnerability and to identify any
available mitigations or patches to address this issue.
Your prompt attention to this matter is highly valued, and we would be grateful
for any assistance or guidance you can provide to help us navigate this
potential security concern.
Thank you for your time and consideration.
Another illustration of why CVSS scores are a bad idea.
Did you read the description from the OpenSSL project for CVE-2024-5535?
Its severity is low, not critical. If you did read the descrition, did
you check the Tomcat Native source code to see if Tomcat uses the method
in question?
Same questions for CVE-2024-4603.
For CVE-2024-4603 did you read the description from the OpenSSL project?
Are you using an affected configuration? If yes, can you switch to one
that isn't affected?
You have access to all the information you need to be able to answer
your questions yourself. If it is important to you as you say it is then
why are you asking us to do the work for you rather than doing it yourself?
There are no plans at present for a new Tomcat Native release to pick up
an updated OpenSSL version for the Windows binaries. However, given that
some valid/likely configurations are affected, it is probable that there
will be a Tomcat Native release some time this month so it can be picked
up for the August Tomcat releases.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
