[jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)

     [ https://issues.apache.org/jira/browse/OFBIZ-11847?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Brohl updated OFBIZ-11847:
----------------------------------
    Description:
CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M5
Apache Tomcat 9.0.0.M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Description:
A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later

Credit:
This issue was reported publicly via the Apache Tomcat Users mailing
list without reference to the potential for DoS. The DoS risks were
identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html



  was:
CVE-2020-1938 AJP Request Injection and potential Remote Code Execution

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99

Description:
When using the Apache JServ Protocol (AJP), care must be taken when
trusting incoming connections to Apache Tomcat. Tomcat treats AJP
connections as having higher trust than, for example, a similar HTTP
connection. If such connections are available to an attacker, they can
be exploited in ways that may be surprising.

Prior to Tomcat 9.0.31, 8.5.51 and 7.0.100, Tomcat shipped with an AJP
Connector enabled by default that listened on all configured IP
addresses. It was expected (and recommended in the security guide) that
this Connector would be disabled if not required.

Prior to this vulnerability report, the known risks of an attacker being
able to access the AJP port directly were:
- bypassing security checks based on client IP address
- bypassing user authentication if Tomcat was configured to trust
  authentication data provided by the reverse proxy
This vulnerability report identified a mechanism that allowed the following:
- returning arbitrary files from anywhere in the web application
  including under the WEB-INF and META-INF directories or any other
  location reachable via ServletContext.getResourceAsStream()
- processing any file in the web application as a JSP
Further, if the web application allowed file upload and stored those
files within the web application (or the attacker was able to control
the content of the web application by some other means) then this, along
with the ability to process a file as a JSP, made remote code execution
possible.

Mitigation:
It is important to note that mitigation is only required if an AJP port
is accessible to untrusted users.
- If AJP support is not required, the Connector may be disabled e.g. by
  removing the AJP Connector element from the server.xml file
- If AJP support is required, untrusted users may be prevented from
  accessing the AJP port by one or more of the following means:
  - configuring appropriate network firewall rules
  - configuring an explicit address attribute to the connector so that
    the Connector listens on a non-public interface
  - configuring a shared secret for the AJP connection
Users wishing to take a defence-in-depth approach and block the vector
that permits returning arbitrary files and execution as JSP may upgrade to:
- Apache Tomcat 9.0.31 or later
- Apache Tomcat 8.5.51 or later
- Apache Tomcat 7.0.100 or later
Users should note that a number of changes were made to the default AJP
Connector configuration in these versions to harden the default
configuration. The changes are:
- The AJP Connector is commented out in the provided server.xml file.
- The "requiredSecret" attribute has been renamed "secret" (the old name
  continues to work but is deprecated).
- A new attribute "secretRequired" has been added which defaults to
  "true". When this attribute is "true", the AJP Connector will not
  start unless a shared secret has been configured.
- The default listen address for the AJP Connector is now the loopback
  address.
It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 and later
will need to make small changes to their configurations as a result.


References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/securit




--
This message was sent by Atlassian Jira
(v8.3.4#803005)