Tomcat Vulnerabilities Netops 20.2.7

book

Article ID: 212182

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Need to determine resolution to the following findings:

"Plugin Output: 
  Path              : /spectrum/webtomcat/bin/
  Installed version : 9.0.37
  Fixed version     : 9.0.43" "The version of Tomcat installed on the remote host is prior to 9.0.43. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory.

  - An information disclosure vulnerability exists when responding to new h2c connection requests, Apache Tomcat     versions 9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of request body from one request     to another meaning user A and user B could both see the results of user A's request. (CVE-2021-25122)

  - when using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a     configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to     CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously     published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

  - A remote code execution vulnerability via deserialization exists when using Apache Tomcat 9.0.0.M1 to 9.0.41 with a     configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to     CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published     mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

 

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Resolution

PTF 303 and 304 provided to upgrade Tomcat on 10.4.3 and WebTomcat on Spectrum 10.4.3