Debian Security Advisory
DLA-2594-1 tomcat8 -- LTS security update
- Date Reported:
- 16 Mar 2021
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-24122, CVE-2021-25122, CVE-2021-25329.
- More information:
Three security issues have been detected in tomcat8.
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 8.5.0 to 8.5.59 is susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.
When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
The fix for 2020-9484 was incomplete. When using Apache Tomcat 8.5.0 to 8.5.61 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u6.
We recommend that you upgrade your tomcat8 packages.
For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS