NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Wed, 21 Jun 2023 11:18:50 -0600
Hello all,

If you're running your tomcat instance behind a reverse proxy, please see
the following CVE advisory:


---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Jun 21, 2023 at 4:24 AM
Subject: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2023-34981 Apache Tomcat - Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88

Description:
The fix for bug 66512 introduced a regression that was fixed as bug
66591. The regression meant that, if a response did not have any HTTP
headers set, no AJP SEND_HEADERS message would be sent which in turn
meant that at least one AJP based proxy (mod_proxy_ajp) would use the
response headers from the previous request for the current request
leading to an information leak.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M6 or later
- Upgrade to Apache Tomcat 10.1.9 or later
- Upgrade to Apache Tomcat 9.0.75 or later
- Upgrade to Apache Tomcat 8.5.89 or later

Credit:
Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.

History:
2023-06-21 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
[5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
[6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
  • 2023 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: