Hi Mark, Thanks for your information. Let me briefly explain for myself.
Because OpenSSL is one of the most widely used open-source cryptographic libraries for implementing secure communications on the internet, it is essential for us to upgrade to secure versions to mitigate various threats, especially for software supply chain threats. To conduct risk assessments for each vulnerability to mitigate risks is the last resort, because it still remains residual risks from software supply chain perspective. CVSS is used in security to provide a standardized method for assessing the severity of security vulnerabilities. Although CVE-2024-5535 was rated as low in OpenSSL, it is rated as 9.1 CRITICAL<https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-5535&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H&version=3.1&source=CISA-ADP> from Source: CISA-ADP. With that, we could not underestimate such issue. Hope you can understand my concerns. In conclusion, we anticipate the upcoming release of Tomcat Native, which will incorporate the latest OpenSSL version and be included in the new Tomcat release. Thank you. Best regards, Peyton Zhong From: Mark Thomas <ma...@apache.org> Date: Sunday, 7 July 2024 at 2:05 AM To: users@tomcat.apache.org <users@tomcat.apache.org> Subject: Re: Inquiry about CVE-2024-5535 Vulnerability in Tomcat 10.1.20 Version [You don't often get email from ma...@apache.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 06/07/2024 05:08, Zhong, Peyton wrote: > Dear Tomcat Community, > > I am writing to inquire about the potential impact of the recently detected > critical vulnerability: > CVE-2024-5535<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-5535&data=05%7C02%7Cpeyton.zhong%40sap.com%7C6c92875c8bb84e2c7fc008dc9de62b64%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638558859091366858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=hKUW8ov%2FMsaR5l0%2BUShyM6xc2pX%2Fzi28Bs2UVskKfps%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2024-5535>> > (9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. > According to Black Duck Binary Analysis (BDBA) scans, this vulnerability has > been identified within the Tomcat 10.1.20 version. There are other detected > vulnerabilities inside OpenSSL on Tomcat, such as CVE-2024-4603 > The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll > > Given this disconcerting discovery, we are seeking clarification on how > CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost > importance for us to understand the implications of this vulnerability and to > identify any available mitigations or patches to address this issue. > > Your prompt attention to this matter is highly valued, and we would be > grateful for any assistance or guidance you can provide to help us navigate > this potential security concern. > > Thank you for your time and consideration. Another illustration of why CVSS scores are a bad idea. Did you read the description from the OpenSSL project for CVE-2024-5535? Its severity is low, not critical. If you did read the descrition, did you check the Tomcat Native source code to see if Tomcat uses the method in question? Same questions for CVE-2024-4603. For CVE-2024-4603 did you read the description from the OpenSSL project? Are you using an affected configuration? If yes, can you switch to one that isn't affected? You have access to all the information you need to be able to answer your questions yourself. If it is important to you as you say it is then why are you asking us to do the work for you rather than doing it yourself? There are no plans at present for a new Tomcat Native release to pick up an updated OpenSSL version for the Windows binaries. However, given that some valid/likely configurations are affected, it is probable that there will be a Tomcat Native release some time this month so it can be picked up for the August Tomcat releases. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
