search cancel

Tomcat and WebTomcat vulnerabilities on Spectrum 10.4.2

book

Article ID: 215029

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

 

"Plugin Output: 
  Path              : /spectrum/webtomcat/bin/
  Installed version : 9.0.37
  Fixed version     : 9.0.43" "The version of Tomcat installed on the remote host is prior to 9.0.43. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory.

  - An information disclosure vulnerability exists when responding to new h2c connection requests, Apache Tomcat     versions 9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of request body from one request     to another meaning user A and user B could both see the results of user A's request. (CVE-2021-25122)

  - when using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a     configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to     CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously     published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

  - A remote code execution vulnerability via deserialization exists when using Apache Tomcat 9.0.0.M1 to 9.0.41 with a     configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to     CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published     mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

 

Apache Tomcat 9.0.0 < 9.0.35 Remote Code Execution
Apache Tomcat 9.0.0.M1 < 9.0.36 DoS
Apache Tomcat 9.0.0.M1 < 9.0.37 Multiple Vulnerabilities
Apache Tomcat 8.5.x < 8.5.58 / 9.0.x < 9.0.38 HTTP/2 Request Mix-Up
Apache Tomcat 9.x < 9.0.40 Information Disclosure
Apache Tomcat 9.0.0.M1 < 9.0.43 Multiple Vulnerabilities

 

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Resolution

Patches to upgrade Tomcat to latest version on 10.4.2.

PTF_10.4.2209 - WebTomcat

PTF_10.4.2209a - Tomcat

It is advised that you install both 2209 and 2209a