NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.
To learn about what's going on, see About the Archive Site.
Hello all, A new CVE for Tomcat was announced. While the severity of it is listed as 'low' we encourage everyone to stay on top of their tomcat and TDS upgrades and run the most current versions available. This is also a good time to remind everyone to run their servlet containers as an underprivileged user and never as the root user (see CVE details). For more information about running your servlet container with the correct permissions, please see: https://docs.unidata.ucar.edu/tds/current/userguide/tomcat_permissions.html Cheers, Jennifer ---------- Forwarded message --------- From: Mark Thomas <markt@xxxxxxxxxx> Date: Wed, Jan 26, 2022 at 4:13 AM Subject: [SECURITY] CVE-2022-23181 Apache Tomcat Local Privilege Escalation To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx> Cc: announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, < announce@xxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx> CVE-2022-23181 Apache Tomcat Local Privilege Escalation Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0-M8 Apache Tomcat 10.0.0-M5 to 10.0.14 Apache Tomcat 9.0.35 to 9.0.56 Apache Tomcat 8.5.55 to 8.5.73 Description: The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.1.0-M10 or later - Upgrade to Apache Tomcat 10.0.16 or later - Upgrade to Apache Tomcat 9.0.58 or later - Upgrade to Apache Tomcat 8.5.75 or later Note: This issue was fixed in Apache Tomcat 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 but the release vote for those release candidates did not pass. Therefore, although users must download 10.1.0-M10, 10.0.16, 9.0.58 or 8.5.75 to obtain a version that includes a fix for this issue, versions 10.1.0-M9, 10.0.15, 9.0.57 and 8.5.74 are not included in the list of affected versions. History: 2022-01-26 Original advisory Credit: This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security. References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html
thredds archives: