NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Mon, 22 May 2023 09:23:23 -0600
There is a medium-level CVE for connector settings for older versions of
Tomcat.


---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, May 22, 2023 at 4:05 AM
Subject: [SECURITY] CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998
was incomplete
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2023-28709 Apache Tomcat - Fix for CVE-2023-24998 was incomplete

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.0-M4
Apache Tomcat 10.1.5 to 10.1.7
Apache Tomcat 9.0.71 to 9.0.73
Apache Tomcat 8.5.85 to 8.5.87

Description:
The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector
settings were used such that the maxParameterCount could be reached
using query string parameters and a request was submitted that supplied
exactly maxParameterCount parameters in the query string, the limit for
uploaded request parts could be bypassed with the potential for a denial
of service to occur.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M5 or later
- Upgrade to Apache Tomcat 10.1.8 or later
- Upgrade to Apache Tomcat 9.0.74 or later
- Upgrade to Apache Tomcat 8.5.88 or later

Credit:
This issue was identified by Chenwei Jiang, Chenfeng Nie and Yue Yang
from the Huawei Nebula Security Lab

History:
2023-05-22 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
  • 2023 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: