Bug#991046: tomcat9: CVE-2021-33037 CVE-2021-30640 CVE-2021-30639

Tue Jul 13 13:10:48 BST 2021

Source: tomcat9
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for tomcat9.

Commit references below, although it's worth considering to simply
update to 9.0.47, given that stable-security upgraded to new
Tomcat point releases before.

CVE-2021-33037[0]:
| Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to
| 8.5.66 did not correctly parse the HTTP transfer-encoding request
| header in some circumstances leading to the possibility to request
| smuggling when used with a reverse proxy. Specifically: - Tomcat
| incorrectly ignored the transfer encoding header if the client
| declared it would only accept an HTTP/1.0 response; - Tomcat honoured
| the identify encoding; and - Tomcat did not ensure that, if present,
| the chunked encoding was the final encoding.

https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e (9.0.47)
https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8 (9.0.47)
https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0 (9.0.47)

CVE-2021-30640[1]:
| A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker
| to authenticate using variations of a valid user name and/or to bypass
| some of the protection provided by the LockOut Realm. This issue
| affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0
| to 8.5.65.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46)
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46)
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46)
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46)
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46)
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46)
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46)
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46)

CVE-2021-30639[2]:
| A vulnerability in Apache Tomcat allows an attacker to remotely
| trigger a denial of service. An error introduced as part of a change
| to improve error handling during non-blocking I/O meant that the error
| flag associated with the Request object was not reset between
| requests. This meant that once a non-blocking I/O error occurred, all
| future requests handled by that request object would fail. Users were
| able to trigger non-blocking I/O errors, e.g. by dropping a
| connection, thereby creating the possibility of triggering a DoS.
| Applications that do not use non-blocking I/O are not exposed to this
| vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4;
| 9.0.44; 8.5.64.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24 (9.0.45)

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-33037
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
[1] https://security-tracker.debian.org/tracker/CVE-2021-30640
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
[2] https://security-tracker.debian.org/tracker/CVE-2021-30639
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639

Please adjust the affected versions in the BTS as needed.