Tomcat, a widely-used servlet and JSP engine, has recently undergone several security updates to address critical vulnerabilities. These vulnerabilities, if exploited, could lead to denial of service (DoS) attacks or arbitrary code execution, posing significant risks to affected systems. This article explores the specifics of these vulnerabilities, their potential consequences, and provides guidance for safeguarding your Linux infrastructure.

Tomcat Vulnerabilities in Ubuntu

Canonical’s security updates for Ubuntu address the following vulnerabilities in tomcat7:

CVE-2019-0221 (CVSS v3 Severity Score: 6.1 Medium)

The Tomcat SSI printenv command was found to echo user-provided data without escaping it. This issue could be exploited by an attacker to perform a cross-site scripting (XSS) attack.

CVE-2020-9484 & CVE-2021-25329 (CVSS v3 Severity Score: 7.0 High)

Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. A remote attacker could leverage these issues to execute arbitrary code on the affected system.

Tomcat Vulnerabilities in Debian

Debian has patched the following vulnerabilities in tomcat9 and tomcat10:

CVE-2023-46589 (CVSS v3 Severity Score: 7.5 High)

Tomcat 9 did not correctly parse HTTP trailer headers. A trailer header exceeding the header size limit could cause Tomcat to treat a single request as multiple requests, potentially leading to request smuggling when behind a reverse proxy.

CVE-2024-24549

This vulnerability involves improper input validation for HTTP/2. When processing an HTTP/2 request that exceeded configured header limits, the associated HTTP/2 stream was not reset until after all headers had been processed, leading to a potential DoS attack.

CVE-2024-23672

This vulnerability pertains to incomplete cleanup, allowing WebSocket clients to keep connections open, which could result in increased resource consumption and potential DoS.

How To Stay Secure

To safeguard your systems, it is essential to update your Tomcat installation to the latest patched version. Canonical has released security updates for Ubuntu Pro users to address Tomcat vulnerabilities across Ubuntu 18.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM. Similarly, Debian has fixed vulnerabilities in tomcat9 and tomcat10 in Debian 11 and Debian 12, respectively. By updating to the latest versions, users can ensure their systems remain secure against emerging threats.

For Ubuntu users, particularly those on versions 16.04 and 18.04, it is important to note that these releases have reached their end of life (EOL) and no longer receive regular security updates. However, Canonical offers Extended Security Maintenance (ESM) via Ubuntu Pro, providing critical updates for these EOL systems. An Ubuntu Pro subscription is required to apply these security patches, which may not be a cost-effective solution.

TuxCare offers an affordable alternative, Extended Lifecycle Support (ELS), which provides five additional years of security patching for Ubuntu 16.04 and Ubuntu 18.04 post-EOL. This service covers the Linux kernel, common shared libraries like glibc and OpenSSL, and various other packages, including Tomcat, Python, and PHP.

You can find all the supported packages on this page.

Source: USN-6908-1, DSA 5665-1

The post Multiple Tomcat Vulnerabilities Fixed in Ubuntu and Debian appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/multiple-tomcat-vulnerabilities-fixed-in-ubuntu-and-debian/