1. Home
  2. Security Advisories
  3. SUSE
  4. SUSE-SU-2023:4129-1

[SUSE-SU-2023:4129-1] Security update for tomcat

Severity Important
Affected Packages 14
CVEs 2
Info Packages References Vulnerabilities

Security update for tomcat

This update for tomcat fixes the following issues:

Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):

  • Security issues fixed:

    • CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
    • CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)

  • Update to Tomcat 9.0.82:

    • Catalina

    • Add: 65770: Provide a lifecycle listener that will
      automatically reload TLS configurations a set time before the
      certificate is due to expire. This is intended to be used with
      third-party tools that regularly renew TLS certificates.

    • Fix: Fix handling of an error reading a context descriptor on
      deployment.

    • Fix: Fix rewrite rule qsd (query string discard) being ignored
      if qsa was also use, while it should instead take precedence.

    • Fix: 67472: Send fewer CORS-related headers when CORS is not
      actually being engaged.

    • Add: Improve handling of failures within recycle() methods.

    • Coyote

    • Fix: 67670: Fix regression with HTTP compression after code
      refactoring.

    • Fix: 67198: Ensure that the AJP connector attribute
      tomcatAuthorization takes precedence over the
      tomcatAuthentication attribute when processing an auth_type
      attribute received from a proxy server.

    • Fix: 67235: Fix a NullPointerException when an AsyncListener
      handles an error with a dispatch rather than a complete.

    • Fix: When an error occurs during asynchronous processing,
      ensure that the error handling process is only triggered once
      per asynchronous cycle.

    • Fix: Fix logic issue trying to match no argument method in
      IntropectionUtil.

    • Fix: Improve thread safety around readNotify and writeNotify
      in the NIO2 endpoint.

    • Fix: Avoid rare thread safety issue accessing message digest
      map.

    • Fix: Improve statistics collection for upgraded connections
      under load.

    • Fix: Align validation of HTTP trailer fields with standard
      fields.

    • Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
      CVE-2023-44487)

    • jdbc-pool

    • Fix: 67664: Correct a regression in the clean-up of
      unnecessary use of fully qualified class names in 9.0.81
      that broke the jdbc-pool.

    • Jasper

    • Fix: 67080: Improve performance of EL expressions in JSPs that
      use implicit objects

  • Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):

    • Catalina:

    • Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks

    • Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop()
      methods.

    • Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with
      one or more Connectors to process requests received by those Connectors using virtual threads. This Executor
      requires a minimum Java version of Java 21.

    • Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no
      more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses
      the Valve and the reason if a request fails to obtain the per session Semaphore.

    • Ensure that the default servlet correctly escapes file names in directory listings when using XML output.

    • Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting
      in the XSLT.

    • Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.

    • Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false
      as support for the associated HTTP header has been removed from all major browsers.

    • Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information
      environment entries.

    • Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping
      from a properties file.

    • Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately
      crafted to allow it even when allowLinking was set to false.

    • Add utility config file resource lookup on Context to allow looking up resources from the webapp
      (prefixed with webapp:) and make the resource lookup API more visible.

    • Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.

    • Make parsing of ExtendedAccessLogValve patterns more robust.

    • Fix failure trying to persist configuration for an internal credential handler.

    • When serializing a session during the session presistence process, do not log a warning that null Principals are
      not serializable.

    • Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.

    • Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.

    • The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed
      first.

    • If an application or library sets both a non-500 error code and the XXXXXXXXXXXXX.error.exception request
      attribute, use the provided error code during error page processing rather than assuming an error code of 500.

    • Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and
      kB.

    • Coyote:

    • Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined
      in RFC 7540.

    • Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.

    • Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather
      than reflecting the most recent conversion.

    • Correct certificate logging on start-up so it differentiates between keystore based keys/certificates:
      PEM file based keys/certificates and logs the relevant information for each.

    • Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from
      the Poller to be missed resuting in a timeout rather than the expected read or write.

    • Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.

    • Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the
      certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.

    • Refactor HTTP/2 implementation to reduce pinning when using virtual threads.

    • Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying
      to parse it.

    • Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.

    • When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2
      overhead count to ensure that connections are not prematurely terminated.

    • Correct a race condition that could cause spurious RST messages to be sent after the response had been written to
      an HTTP/2 stream.

    • WebSocket:

    • Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a
      WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid
      characters from the base64 alphabet are used.

    • Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.

    • Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before
      the onClose() event had been completed.

    • Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate.

    • Web applications:

    • Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration
      section for the Digest authentication value.

    • Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the
      java.io.tmpdir system property.

    • Documentation: Fix a typo in the name of the algorithms

    • Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.

    • jdbc-pool:

    • Fix the releaseIdleCounter does not increment when testAllIdle releases them.

    • Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs
      while writing.

    • Other:

    • Update to Commons Daemon 1.3.4.

    • Improvements to French translations.

    • Update Checkstyle to 10.12.0.

    • Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built
      with with OpenSSL 1.1.1u.

    • Include the Windows specific binary distributions in the files uploaded to Maven Central.

    • Improvements to French translations.

    • Improvements to Japanese translations.

    • Update UnboundID to 6.0.9.

    • Update Checkstyle to 10.12.1.

    • Update BND to 6.4.1.66665:

    • Update JSign to 5.0.

    • Correct properties for JSign dependency.

    • Align documentation for maxParameterCount to match hard-coded defaults.

    • Update NSIS to 3.0.9.

    • Update Checkstyle to 10.12.2.

    • Improvements to French translations.

    • Improvements to Japanese translations.

    • Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java
      executable contains spaces.

    • Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.

    • Improvements to Chinese translations.

    • Improvements to French translations.

    • Improvements to Japanese translations

Package Affected Version
pkg:rpm/suse/tomcat?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-webapps?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-webapps?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-servlet-4_0-api?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-servlet-4_0-api?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-lib?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-lib?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-jsp-2_3-api?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-jsp-2_3-api?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-el-3_0-api?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-el-3_0-api?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-admin-webapps?arch=noarch&distro=sles-15&sp=3 < 9.0.82-150200.46.1
pkg:rpm/suse/tomcat-admin-webapps?arch=noarch&distro=sles-15&sp=2 < 9.0.82-150200.46.1
ID
SUSE-SU-2023:4129-1
Severity
important
URL
https://www.suse.com/support/update/announcement/2023/suse-su-20234129-1/
Published
2023-10-19T07:52:28
(11 months ago)
Modified
2023-10-19T07:52:28
(11 months ago)
Rights
Copyright 2024 SUSE LLC. All rights reserved.
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/suse/tomcat?arch=noarch&distro=sles-15&sp=3 suse tomcat < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat?arch=noarch&distro=sles-15&sp=2 suse tomcat < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-webapps?arch=noarch&distro=sles-15&sp=3 suse tomcat-webapps < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-webapps?arch=noarch&distro=sles-15&sp=2 suse tomcat-webapps < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-servlet-4_0-api?arch=noarch&distro=sles-15&sp=3 suse tomcat-servlet-4_0-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-servlet-4_0-api?arch=noarch&distro=sles-15&sp=2 suse tomcat-servlet-4_0-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-lib?arch=noarch&distro=sles-15&sp=3 suse tomcat-lib < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-lib?arch=noarch&distro=sles-15&sp=2 suse tomcat-lib < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-jsp-2_3-api?arch=noarch&distro=sles-15&sp=3 suse tomcat-jsp-2_3-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-jsp-2_3-api?arch=noarch&distro=sles-15&sp=2 suse tomcat-jsp-2_3-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-el-3_0-api?arch=noarch&distro=sles-15&sp=3 suse tomcat-el-3_0-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-el-3_0-api?arch=noarch&distro=sles-15&sp=2 suse tomcat-el-3_0-api < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-admin-webapps?arch=noarch&distro=sles-15&sp=3 suse tomcat-admin-webapps < 9.0.82-150200.46.1 sles-15 noarch
Affected pkg:rpm/suse/tomcat-admin-webapps?arch=noarch&distro=sles-15&sp=2 suse tomcat-admin-webapps < 9.0.82-150200.46.1 sles-15 noarch
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date