| Description: | Summary:
The remote host is missing an update for the Debian 'tomcat8' package(s) announced via the DLA-2594-1 advisory.
Vulnerability Insight:
Three security issues have been detected in tomcat8.
CVE-2021-24122
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
CVE-2021-25122
When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
CVE-2021-25329
The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to 8.5.61 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u6.
We recommend that you upgrade your tomcat8 packages.
For the detailed security status of tomcat8 please refer to its security tracker page at: [link moved to references]
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'tomcat8' package(s) on Debian 9.
Solution:
Please install the updated package(s).
CVSS Score:
5.0
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
