SUSE-SU-2023:4129-1: important: Security update for tomcat

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Oct 19 08:54:46 UTC 2023



# Security update for tomcat

Announcement ID: SUSE-SU-2023:4129-1  
Rating: important  
References:

  * bsc#1214666
  * bsc#1216182
  * jsc#PED-6376
  * jsc#PED-6377

  
Cross-References:

  * CVE-2023-41080
  * CVE-2023-44487

  
CVSS scores:

  * CVE-2023-41080 ( SUSE ):  6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
  * CVE-2023-41080 ( NVD ):  6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  * CVE-2023-44487 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2023-44487 ( NVD ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Proxy 4.3
  * SUSE Manager Retail Branch Server 4.3
  * SUSE Manager Server 4.2
  * SUSE Manager Server 4.3
  * Web and Scripting Module 15-SP4
  * Web and Scripting Module 15-SP5

  
  
An update that solves two vulnerabilities and contains two features can now be
installed.

## Description:

This update for tomcat fixes the following issues:

Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):

  * Security issues fixed:

  * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication.
    (bsc#1214666)

  * CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)

  * Update to Tomcat 9.0.82:

  * Catalina

    * Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
    * Fix: Fix handling of an error reading a context descriptor on deployment.
    * Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence.
    * Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged.
    * Add: Improve handling of failures within recycle() methods.
  * Coyote

    * Fix: 67670: Fix regression with HTTP compression after code refactoring.
    * Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server.
    * Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete.
    * Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle.
    * Fix: Fix logic issue trying to match no argument method in IntropectionUtil.
    * Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint.
    * Fix: Avoid rare thread safety issue accessing message digest map.
    * Fix: Improve statistics collection for upgraded connections under load.
    * Fix: Align validation of HTTP trailer fields with standard fields.
    * Fix: Improvements to HTTP/2 overhead protection (bsc#1216182, CVE-2023-44487)
  * jdbc-pool

    * Fix: 67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 9.0.81 that broke the jdbc-pool.
  * Jasper

    * Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects
  * Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):

  * Catalina:

    * Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks
    * Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods.
    * Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21.
    * Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore.
    * Ensure that the default servlet correctly escapes file names in directory listings when using XML output.
    * Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT.
    * Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.
    * Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false as support for the associated HTTP header has been removed from all major browsers.
    * Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries.
    * Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.
    * Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false.
    * Add utility config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible.
    * Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
    * Make parsing of ExtendedAccessLogValve patterns more robust.
    * Fix failure trying to persist configuration for an internal credential handler.
    * When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable.
    * Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.
    * Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.
    * The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first.
    * If an application or library sets both a non-500 error code and the javax.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
    * Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
  * Coyote:

    * Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined in RFC 7540.
    * Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.
    * Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion.
    * Correct certificate logging on start-up so it differentiates between keystore based keys/certificates: PEM file based keys/certificates and logs the relevant information for each.
    * Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write.
    * Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.
    * Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.
    * Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
    * Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it.
    * Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.
    * When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
    * Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream.
  * WebSocket:

    * Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used.
    * Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
    * Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed.
    * Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate.
  * Web applications:

    * Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration section for the Digest authentication value.
    * Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property.
    * Documentation: Fix a typo in the name of the algorithms
    * Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
  * jdbc-pool:

    * Fix the releaseIdleCounter does not increment when testAllIdle releases them.
    * Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing.
  * Other:

    * Update to Commons Daemon 1.3.4.
    * Improvements to French translations.
    * Update Checkstyle to 10.12.0.
    * Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u.
    * Include the Windows specific binary distributions in the files uploaded to Maven Central.
    * Improvements to French translations.
    * Improvements to Japanese translations.
    * Update UnboundID to 6.0.9.
    * Update Checkstyle to 10.12.1.
    * Update BND to 6.4.1.66665:
    * Update JSign to 5.0.
    * Correct properties for JSign dependency.
    * Align documentation for maxParameterCount to match hard-coded defaults.
    * Update NSIS to 3.0.9.
    * Update Checkstyle to 10.12.2.
    * Improvements to French translations.
    * Improvements to Japanese translations.
    * Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces.
    * Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.
    * Improvements to Chinese translations.
    * Improvements to French translations.
    * Improvements to Japanese translations

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * Web and Scripting Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2023-4129=1

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4129=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4129=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4129=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4129=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4129=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4129=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4129=1

  * SUSE Manager Server 4.2  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4129=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2023-4129=1

  * Web and Scripting Module 15-SP4  
    zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP4-2023-4129=1

## Package List:

  * Web and Scripting Module 15-SP5 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Manager Server 4.2 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * SUSE Enterprise Storage 7.1 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1
  * Web and Scripting Module 15-SP4 (noarch)
    * tomcat-jsp-2_3-api-9.0.82-150200.46.1
    * tomcat-9.0.82-150200.46.1
    * tomcat-servlet-4_0-api-9.0.82-150200.46.1
    * tomcat-webapps-9.0.82-150200.46.1
    * tomcat-admin-webapps-9.0.82-150200.46.1
    * tomcat-el-3_0-api-9.0.82-150200.46.1
    * tomcat-lib-9.0.82-150200.46.1

## References:

  * https://www.suse.com/security/cve/CVE-2023-41080.html
  * https://www.suse.com/security/cve/CVE-2023-44487.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1214666
  * https://bugzilla.suse.com/show_bug.cgi?id=1216182
  * https://jira.suse.com/browse/PED-6376
  * https://jira.suse.com/browse/PED-6377

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20231019/c70f24d9/attachment.htm>


More information about the sle-security-updates mailing list