Bug 1212612 (CVE-2023-34981)

Summary: VUL-0: CVE-2023-34981: tomcat6,tomcat: information disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Michele Bussolotto <michele.bussolotto>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P2 - High CC: michele.bussolotto, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370073/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-22 08:31:45 UTC 
CVE-2023-34981

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74
and 8.5.88 meant that, if a response did not include any HTTP headers no AJP
SEND_HEADERS messare woudl be sent for the response which in turn meant that at
least one AJP proxy (mod_proxy_ajp) would use the response headers from the
previous request leading to an information leak.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-34981
https://bugzilla.redhat.com/show_bug.cgi?id=2216439
https://www.cve.org/CVERecord?id=CVE-2023-34981
http://www.cvedetails.com/cve/CVE-2023-34981/
https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
Comment 2 Cathy Hu 2023-06-22 08:35:38 UTC 
nvm we are not affected, see introducing bugfix introducing the issue: https://bz.apache.org/bugzilla/show_bug.cgi?id=66512

Fix: https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442

Not Affected (do not contain introducing commit https://github.com/apache/tomcat/commit/7c122e0f2c6f80cd5a1812afda5b0d5f751636aa)
- SUSE:ALP:Source:Standard:1.0/tomcat
- SUSE:SLE-11:Update/tomcat6
- SUSE:SLE-12-SP2:Update/tomcat
- SUSE:SLE-12-SP4:Update/tomcat
- SUSE:SLE-15-SP1:Update/tomcat
- SUSE:SLE-15:Update/tomcat

Not affected (already fixed version):
- SUSE:SLE-15-SP2:Update/tomcat
- openSUSE:Factory/tomcat
Comment 3 Cathy Hu 2023-06-22 08:35:57 UTC 
closing