Vulnerability from csaf_suse
Published
2024-04-11 10:43
Modified
2024-04-11 10:43
Summary
Security update for tomcat10
Notes
Title of the patch
Security update for tomcat10
Description of the patch
This update for tomcat10 fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Other fixes:
- Update to Tomcat 10.1.20
* Catalina
+ Fix: Minor performance improvement for building filter chains.
Based on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure
use of either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are
configured using the Executor element now implement ExecutorService
for better support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a
successful FORM authentication, ensure that neither the URI, the
query string nor the protocol are corrupted when restoring the
request body. (markt)
+ Fix: After forwarding a request, attempt to unwrap the
response in order to suspend it, instead of simply closing it if it
was wrapped. Add a new suspendWrappedResponseAfterForward boolean
attribute on Context to control the bahavior, defaulting to false.
(remm)
+ Fix: 68721: Workaround a possible cause of duplicate class
definitions when using ClassFileTransformers and the transformation
of a class also triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output
is identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite
valve to allow skipping over the next valve in the Catalina pipeline.
(remm)
+ Update: Add highConcurrencyStatus attribute to the
SemaphoreValve to optionally allow the valve to return an error
status code to the client when a permit cannot be acquired from the
semaphore. (remm)
+ Add: Add checking of the 'age' of the running Tomcat instance
since its build-date to the SecurityListener, and log a warning if
the server is old. (schultz)
+ Fix: When using the AsyncContext, throw an
IllegalStateException, rather than allowing an NullPointerException,
if an attempt is made to use the AsyncContext after it has been
recycled. (markt)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
by removing reference to org.apache.catalina.ssi package that is no
longer included in the JAR. Based on pull request #684 by Jendrik
Johannes. (markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values
when configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including
the ability to skip adding nonces for resource name and subtree URL
patterns. (schultz)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request
attribute access for ApplicationHttpRequest and ApplicationRequest.
(markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a
stream uses all of the connection windows and still has content to
write, it will now be added to the backlog immediately rather than
waiting until the write attempt for the remaining content. (markt)
+ Fix: Add threadsMaxIdleTime attribute to the endpoint, to
allow configuring the amount of time before an internal executor will
scale back to the configured minSpareThreads size. (remm)
+ Fix: Correct a regression in the support for user provided
SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt)
+ Fix: Setting a null value for a cookie attribute should remove
the attribute. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once a connection is marked to be closed, further asynchronous
processing cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once the call to AsyncListener.onError() has returned to the
container, only container threads can access the AsyncContext. This
protects against various race conditions that woudl otherwise occur
if application threads continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of
the HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on pull
request #673 provided by Hakan Altındağ. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to
String for request URI, HTTP header names and the request
Content-Type value to improve performance by reducing repeated byte[]
to String conversions. (markt)
+ Fix: Improve error reporting to HTTP/2 clients for header
processing errors by reporting problems at the end of the frame where
the error was detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the
stream has been recycled. This makes the stream eligible for garbage
collection earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as
the compiler source and/or compiler target for JSP compilation. If
used with an Eclipse JDT compiler version that does not support these
values, a warning will be logged and the default will used. (markt)
+ Fix: Handle the case where the JSP engine forwards a
request/response to a Servlet that uses an OutputStream rather than a
Writer. This was triggering an IllegalStateException on code paths
where there was a subsequent attempt to obtain a Writer. (markt)
+ Fix: Correctly handle the case where a tag library is packaged
in a JAR file and the web application is deployed as a WAR file
rather than an unpacked directory. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports
maps, as suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could
cause an UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: 57130: Allow digest.(sh|bat) to accept password from a
file or stdin. (csutherl/schultz)
+ Update: Update Checkstyle to 10.14.1. (markt)
+ Fix: Correct the remaining OSGi contract references in the
manifest files to refer to the Jakarta EE contract names rather than
the Java EE contract names. Based on pull request #685 provided by
Paul A. Nicolucci. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Update the packaged version of the Tomcat Migration
Tool for Jakarta EE to 1.0.7. (markt)
+ Update: Update Tomcat Native to 2.0.7. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
Patchnames
SUSE-2024-1204,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-1204,openSUSE-SLE-15.5-2024-1204
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for tomcat10", title: "Title of the patch", }, { category: "description", text: "This update for tomcat10 fixes the following issues:\n\n- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)\n- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)\n\nOther fixes:\n- Update to Tomcat 10.1.20\n * Catalina\n + Fix: Minor performance improvement for building filter chains. \n Based on ideas from #702 by Luke Miao. (remm)\n + Fix: Align error handling for Writer and OutputStream. Ensure \n use of either once the response has been recycled triggers a \n NullPointerException provided that discardFacades is configured with \n the default value of true. (markt)\n + Fix: 68692: The standard thread pool implementations that are \n configured using the Executor element now implement ExecutorService \n for better support NIO2. (remm)\n + Fix: 68495: When restoring a saved POST request after a \n successful FORM authentication, ensure that neither the URI, the \n query string nor the protocol are corrupted when restoring the \n request body. (markt)\n + Fix: After forwarding a request, attempt to unwrap the \n response in order to suspend it, instead of simply closing it if it \n was wrapped. Add a new suspendWrappedResponseAfterForward boolean \n attribute on Context to control the bahavior, defaulting to false. \n (remm)\n + Fix: 68721: Workaround a possible cause of duplicate class \n definitions when using ClassFileTransformers and the transformation \n of a class also triggers the loading of the same class. (markt)\n + Fix: The rewrite valve should not do a rewrite if the output \n is identical to the input. (remm)\n + Update: Add a new valveSkip (or VS) rule flag to the rewrite \n valve to allow skipping over the next valve in the Catalina pipeline. \n (remm)\n + Update: Add highConcurrencyStatus attribute to the \n SemaphoreValve to optionally allow the valve to return an error \n status code to the client when a permit cannot be acquired from the \n semaphore. (remm)\n + Add: Add checking of the 'age' of the running Tomcat instance \n since its build-date to the SecurityListener, and log a warning if \n the server is old. (schultz)\n + Fix: When using the AsyncContext, throw an \n IllegalStateException, rather than allowing an NullPointerException, \n if an attempt is made to use the AsyncContext after it has been \n recycled. (markt)\n + Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar \n by removing reference to org.apache.catalina.ssi package that is no \n longer included in the JAR. Based on pull request #684 by Jendrik \n Johannes. (markt)\n + Fix: Fix ServiceBindingPropertySource so that trailing \\r\\n \n sequences are correctly removed from files containing property values \n when configured to do so. Bug identified by Coverity Scan. (markt)\n + Add: Add improvements to the CSRF prevention filter including \n the ability to skip adding nonces for resource name and subtree URL \n patterns. (schultz)\n + Fix: Review usage of debug logging and downgrade trace or data \n dumping operations from debug level to trace. (remm)\n + Fix: 68089: Further improve the performance of request \n attribute access for ApplicationHttpRequest and ApplicationRequest. \n (markt)\n + Fix: 68559: Allow asynchronous error handling to write to the \n response after an error during asynchronous processing. (markt)\n * Coyote\n + Fix: Improve the HTTP/2 stream prioritisation process. If a \n stream uses all of the connection windows and still has content to \n write, it will now be added to the backlog immediately rather than \n waiting until the write attempt for the remaining content. (markt)\n + Fix: Add threadsMaxIdleTime attribute to the endpoint, to \n allow configuring the amount of time before an internal executor will \n scale back to the configured minSpareThreads size. (remm)\n + Fix: Correct a regression in the support for user provided \n SSLContext instances that broke the \n org.apache.catalina.security.TLSCertificateReloadListener. (markt)\n + Fix: Setting a null value for a cookie attribute should remove \n the attribute. (markt)\n + Fix: Make asynchronous error handling more robust. Ensure that \n once a connection is marked to be closed, further asynchronous \n processing cannot change that. (markt)\n + Fix: Make asynchronous error handling more robust. Ensure that \n once the call to AsyncListener.onError() has returned to the \n container, only container threads can access the AsyncContext. This \n protects against various race conditions that woudl otherwise occur \n if application threads continued to access the AsyncContext.\n + Fix: Review usage of debug logging and downgrade trace or data \n dumping operations from debug level to trace. In particular, most of \n the HTTP/2 debug logging has been changed to trace level. (remm)\n + Fix: Add support for user provided SSLContext instances \n configured on SSLHostConfigCertificate instances. Based on pull \n request #673 provided by Hakan Altındağ. (markt)\n + Fix: Partial fix for 68558: Cache the result of converting to \n String for request URI, HTTP header names and the request \n Content-Type value to improve performance by reducing repeated byte[] \n to String conversions. (markt)\n + Fix: Improve error reporting to HTTP/2 clients for header \n processing errors by reporting problems at the end of the frame where \n the error was detected rather than at the end of the headers. (markt)\n + Fix: Remove the remaining reference to a stream once the \n stream has been recycled. This makes the stream eligible for garbage \n collection earlier and thereby improves scalability. (markt)\n * Jasper\n + Add: Add support for specifying Java 22 (with the value 22) as \n the compiler source and/or compiler target for JSP compilation. If \n used with an Eclipse JDT compiler version that does not support these \n values, a warning will be logged and the default will used. (markt)\n + Fix: Handle the case where the JSP engine forwards a \n request/response to a Servlet that uses an OutputStream rather than a \n Writer. This was triggering an IllegalStateException on code paths \n where there was a subsequent attempt to obtain a Writer. (markt)\n + Fix: Correctly handle the case where a tag library is packaged \n in a JAR file and the web application is deployed as a WAR file \n rather than an unpacked directory. (markt)\n + Fix: 68546: Generate optimal size and types for JSP imports \n maps, as suggested by John Engebretson. (remm)\n + Fix: Review usage of debug logging and downgrade trace or data \n dumping operations from debug level to trace. (remm)\n *\tCluster\n + Fix: Avoid updating request count stats on async. (remm)\n * WebSocket\n + Fix: Correct a regression in the fix for 66508 that could \n cause an UpgradeProcessor leak in some circumstances. (markt)\n + Fix: Review usage of debug logging and downgrade trace or data \n dumping operations from debug level to trace. (remm)\n + Fix: Ensure that WebSocket connection closure completes if the \n connection is closed when the server side has used the proprietary \n suspend/resume feature to suspend the connection. (markt)\n * Web applications\n Add: Add support for responses in JSON format from the examples \n application RequestHeaderExample. (schultz)\n * Other\n + Add: Improvements to French translations. (remm)\n + Add: Improvements to Japanese translations by tak7iji. (markt)\n + Fix: 57130: Allow digest.(sh|bat) to accept password from a \n file or stdin. (csutherl/schultz)\n + Update: Update Checkstyle to 10.14.1. (markt)\n + Fix: Correct the remaining OSGi contract references in the \n manifest files to refer to the Jakarta EE contract names rather than \n the Java EE contract names. Based on pull request #685 provided by \n Paul A. Nicolucci. (markt)\n + Update: Update Checkstyle to 10.13.0. (markt)\n + Update: Update JSign to 6.0. (markt)\n + Update: Update the packaged version of the Tomcat Migration \n Tool for Jakarta EE to 1.0.7. (markt)\n + Update: Update Tomcat Native to 2.0.7. (markt)\n + Update: Add strings for debug level messages. (remm)\n + Add: Improvements to French translations. (remm)\n + Add: Improvements to Japanese translations by tak7iji. (markt)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2024-1204,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-1204,openSUSE-SLE-15.5-2024-1204", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_1204-1.json", }, { category: "self", summary: "URL for SUSE-SU-2024:1204-1", url: "https://www.suse.com/support/update/announcement/2024/suse-su-20241204-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2024:1204-1", url: "https://lists.suse.com/pipermail/sle-updates/2024-April/034931.html", }, { category: "self", summary: "SUSE Bug 1221385", url: "https://bugzilla.suse.com/1221385", }, { category: "self", summary: "SUSE Bug 1221386", url: "https://bugzilla.suse.com/1221386", }, { category: "self", summary: "SUSE CVE CVE-2024-23672 page", url: "https://www.suse.com/security/cve/CVE-2024-23672/", }, { category: "self", summary: "SUSE CVE CVE-2024-24549 page", url: "https://www.suse.com/security/cve/CVE-2024-24549/", }, ], title: "Security update for tomcat10", tracking: { current_release_date: "2024-04-11T10:43:42Z", generator: { date: "2024-04-11T10:43:42Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2024:1204-1", initial_release_date: "2024-04-11T10:43:42Z", revision_history: [ { date: "2024-04-11T10:43:42Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "tomcat10-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-doc-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-doc-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-doc-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-embed-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-embed-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-embed-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-lib-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-lib-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-lib-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", }, }, { category: "product_version", name: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch", product: { name: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch", product_id: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product: { name: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-web-scripting:15:sp5", }, }, }, { category: "product_name", name: "openSUSE Leap 15.5", product: { name: "openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.5", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat10-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-lib-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-lib-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5", product_id: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "SUSE Linux Enterprise Module for Web and Scripting 15 SP5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-embed-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-embed-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-jsvc-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-lib-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-lib-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, { category: "default_component_of", full_product_name: { name: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch as component of openSUSE Leap 15.5", product_id: "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", }, product_reference: "tomcat10-webapps-10.1.20-150200.5.22.2.noarch", relates_to_product_reference: "openSUSE Leap 15.5", }, ], }, vulnerabilities: [ { cve: "CVE-2024-23672", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-23672", }, ], notes: [ { category: "general", text: "Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, references: [ { category: "external", summary: "CVE-2024-23672", url: "https://www.suse.com/security/cve/CVE-2024-23672", }, { category: "external", summary: "SUSE Bug 1221385 for CVE-2024-23672", url: "https://bugzilla.suse.com/1221385", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, ], threats: [ { category: "impact", date: "2024-04-11T10:43:42Z", details: "important", }, ], title: "CVE-2024-23672", }, { cve: "CVE-2024-24549", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2024-24549", }, ], notes: [ { category: "general", text: "Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\n\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\n\n", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, references: [ { category: "external", summary: "CVE-2024-24549", url: "https://www.suse.com/security/cve/CVE-2024-24549", }, { category: "external", summary: "SUSE Bug 1221386 for CVE-2024-24549", url: "https://bugzilla.suse.com/1221386", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-embed-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-jsvc-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-lib-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.20-150200.5.22.2.noarch", "openSUSE Leap 15.5:tomcat10-webapps-10.1.20-150200.5.22.2.noarch", ], }, ], threats: [ { category: "impact", date: "2024-04-11T10:43:42Z", details: "important", }, ], title: "CVE-2024-24549", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.