Tomcat Vulnerabilities on 9.0.0.41 and 7.0.0.104

book

Article ID: 211238

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Tomcat 9.0.0.41 and 7.0.0.104 have vulnerabilities CVE-2021-25122 (1)
and CVE-2021-25329 (2).

 

Resolution

 

Siteminder is not impacted, nor affected by these vulnerabilities.

CVE-2021-25122

  Siteminder is not impacted by this vulnerability, as this issue is more
  related to h2c connections, which are more related to Http/2 over TCP.
  Reference:h2c is HTTP/2 over TCP (3).

CVE-2021-25329

  Siteminder is not affected as we do not configure the persistence
  manager and we generally are at the default level so we don't
  configure PersistenceManager hence we are not affected (4).

 

Additional Information

 

(1)

   CVE-2021-25122

   Description

     When responding to new h2c connection requests, Apache Tomcat versions
     10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61 could
     duplicate request headers and a limited amount of request body from
     one request to another meaning user A and user B could both see the
     results of user A's request.

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122

(2)

   CVE-2021-25329

   Description

     The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat
     10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or
     7.0.0. to 7.0.107 with a configuration edge case that was highly
     unlikely to be used, the Tomcat instance was still vulnerable to
     CVE-2020-9494. Note that both the previously published prerequisites
     for CVE-2020-9484 and the previously published mitigations for
     CVE-2020-9484 also apply to this issue (4).

   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329

(3)

   HTTP/2 guide
 https://httpd.apache.org/docs/2.4/howto/http2.html#:~:text=h2c%20is%20HTTP%2F2%20over,in%20the%20official%20documentation%20section

(4)

   Fixed in Apache Tomcat 7.0.104

     High: Remote Code Execution via session persistence CVE-2020-9484

     If:

       - an attacker is able to control the contents and name of a
         file on the server; and
       - the server is configured to use the PersistenceManager with a
         FileStore; and
       - the PersistenceManager is configured with
         sessionAttributeValueClassNameFilter="null" (the default
         unless a SecurityManager is used) or a sufficiently lax
         filter to allow the attacker provided object to be
         deserialized; and
       - the attacker knows the relative file path from the storage
         location used by FileStore to the file the attacker has
         control over;

     then, using a specifically crafted request, the attacker will be able
     to trigger remote code execution via deserialization of the file under
     their control.

     Note: All of conditions above must be true for the attack to succeed.

   https://tomcat.apache.org/security-7.html