Apache Tomcat Denial of Service (DoS) Vulnerability (CVE-2023-24998) was reported against the Tomcat releases distributed with AutoSys Servers.

Release : Multiple Releases

For Autosys 12.1 and 12.0.x:

- Upgrade tomcat to 9.0.72 or 9.0.73 (or any newer 9.0.xx) to resolve this:

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.72

Important: Apache Tomcat denial of service CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

This was fixed with commit cf77cc54.

This issue was reported to the Apache Tomcat Security team on 11 December 2022. The issue was made public on 20 February 2023.

Affects: 9.0.0-M1 to 9.0.70

- Steps to upgrade tomcat for Autosys are documented here:  https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-1/installing/Install-AutoSys/upgrade-tomcat-version-for-autosys.html

Note: you can upgrade to any latest 9.0.x  series using the above steps

For Autosys 11.3.6:

- Upgrade to latest tomcat 8.5,   https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86

- Steps to upgrade tomcat for Autosys are documented here:  https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/workload-automation-ae-and-workload-control-center/11-3-6-SP8/upgrading/upgrade-tomcat-for-autosys/upgrade-tomcat---linux.html

Note: you can upgrade to any latest 8.5.x  series using the above steps