CVE-2022-23181 – Local privilege escalation with FileStore
https://notcve.org/view.php?id=CVE-2022-23181
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. Una corrección del bug CVE-2020-9484 introdujo una vulnerabilidad de tiempo de comprobación, tiempo de uso en Apache Tomcat versiones 10.1.0-M1 a 10.1.0-M8, versiones 10.0.0-M5 a 10.0.14, versiones 9.0.35 a 9.0.56 y versiones 8.5.55 a 8.5.73, que permitía a un atacante local llevar a cabo acciones con los privilegios del usuario que está usando el proceso Tomcat. Este problema sólo es explotable cuando Tomcat está configurado para persistir sesiones usando el FileStore • https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9 https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html https://security.netapp.com/advisory/ntap-20220217-0010 https://www.debian.org/security/2022/dsa-5265 https://www.oracle.com/security-alerts/cpuapr2022.html https://www.oracle.com/security-alerts/cpujul2022.html https://access.redhat.com/security/cve/CVE-2022-23181 https://bugzilla.redhat.com/show_bug.cgi?id=2047417 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2021-42340 – DoS via memory leak with WebSocket connections
https://notcve.org/view.php?id=CVE-2021-42340
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. La corrección del bug 63362 presente en Apache Tomcat versiones 10.1.0-M1 hasta 10.1.0-M5, versiones 10.0.0-M1 hasta 10.0.11, versiones 9.0.40 hasta 9.0.53 y versiones 8.5.60 hasta 8.5.71, introducía una pérdida de memoria. El objeto introducido para recopilar métricas para las conexiones de actualización HTTP no se liberaba para las conexiones WebSocket una vez que se cerraba la conexión. • https://kc.mcafee.com/corporate/index?page=content&id=SB10379 https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E https://security.gentoo.org/glsa/202208-34 https://security.netapp.com/advisory/ntap-20211104-0001 https://www.debian.org/security/2021/dsa-5009 https://www.oracle.com/security-alerts/cpuapr2022.html https://www • CWE-772: Missing Release of Resource after Effective Lifetime •
CVE-2021-41079 – Apache Tomcat DoS with unexpected TLS packet
https://notcve.org/view.php?id=CVE-2021-41079
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. Apache Tomcat versiones 8.5.0 hasta 8.5.63, versiones 9.0.0-M1 hasta 9.0.43 y versiones 10.0.0-M1 hasta 10.0.2, no comprueban apropiadamente los paquetes TLS entrantes. Cuando Tomcat estaba configurado para usar NIO+OpenSSL o NIO2+OpenSSL para TLS, un paquete especialmente diseñado podía usarse para desencadenar un bucle infinito resultando en una denegación de servicio A flaw was found in Apache Tomcat. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet can trigger an infinite loop, resulting in a denial of service. • https://lists.apache.org/thread.html/r6b6b674e3f168dd010e67dbe6848b866e2acf26371452fdae313b98a%40%3Cusers.tomcat.apache.org%3E https://lists.apache.org/thread.html/rb4de81ac647043541a32881099aa6eb5a23f1b7fd116f713f8ab9dbe%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rccdef0349fdf4fb73a4e4403095446d7fe6264e0a58e2df5c6799434%40%3Cannounce.tomcat.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/09/msg00012.html https://security.netapp.com/advisory/ntap-20211008-0005 https://www.debian.org/security/2021/dsa-4986 https: • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2021-33037 – Incorrect Transfer-Encoding handling with HTTP/1.0
https://notcve.org/view.php?id=CVE-2021-33037
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. Apache Tomcat versiones 10.0.0-M1 hasta 10.0.6, versiones 9.0.0.M1 hasta 9.0.46 y versiones 8.5.0 hasta 8.5.66, no analizaban correctamente el encabezado de petición HTTP transfer-encoding en algunas circunstancias, conllevando a la posibilidad de contrabando de peticiones cuando se usaba con un proxy inverso. Específicamente: - Tomcat ignoraba incorrectamente el encabezado de codificación de transferencia si el cliente declaraba que sólo aceptaría una respuesta HTTP/1.0; - Tomcat honraba la codificación de identificación; y - Tomcat no se aseguraba de que, si estaba presente, la codificación en trozos fuera la codificación final • https://kc.mcafee.com/corporate/index?page=content&id=SB10366 https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E https:/ • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-30640 – Auth weakness in JNDIRealm
https://notcve.org/view.php?id=CVE-2021-30640
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. Una vulnerabilidad en el ámbito JNDI de Apache Tomcat permite a un atacante autenticarse usando variaciones de un nombre de usuario válido y/o omitir parte de la protección proporcionada por el ámbito LockOut. Este problema afecta a Apache Tomcat versiones 10.0.0-M1 hasta 10.0.5; versiones 9.0.0.M1 hasta 9.0.45; versiones 8.5.0 hasta 8.5.65 • https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html https://security.gentoo.org/glsa/202208-34 https://security.netapp.com/advisory/ntap-20210827-0007 https://www.debian.org/security/2021/dsa-4952 https://www.debian.org/security/2021/dsa-4986 https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpujan2022.html https: • CWE-116: Improper Encoding or Escaping of Output CWE-287: Improper Authentication •