Test ID:	1.3.6.1.4.1.25623.1.0.892733
Category:	Debian Local Security Checks
Title:	Debian LTS: Security Advisory for tomcat8 (DLA-2733-1)
Summary:	The remote host is missing an update for the 'tomcat8'; package(s) announced via the DLA-2733-1 advisory.
Description:	Summary: The remote host is missing an update for the 'tomcat8' package(s) announced via the DLA-2733-1 advisory. Vulnerability Insight: Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2021-30640 A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. CVE-2021-33037 Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response, - Tomcat honoured the identify encoding, and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Affected Software/OS: 'tomcat8' package(s) on Debian Linux. Solution: For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u7. We recommend that you upgrade your tomcat8 packages. CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-30640 Common Vulnerability Exposure (CVE) ID: CVE-2021-33037
Copyright	Copyright (C) 2021 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.