Bug 1219023 (CVE-2024-21733)

Summary: VUL-0: CVE-2024-21733: tomcat,tomcat10: leaking of unrelated request bodies in default error page
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: tomcat-maintainers <tomcat-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, joyeta.modak, meissner, michele.bussolotto
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/391743/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-21733:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-01-19 16:56:24 UTC 
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-21733
https://seclists.org/oss-sec/2024/q1/34
https://www.cve.org/CVERecord?id=CVE-2024-21733
https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
http://www.openwall.com/lists/oss-security/2024/01/19/2
https://bugzilla.redhat.com/show_bug.cgi?id=2259204

Patch:

8.5.x - https://github.com/apache/tomcat/commit/9b44626e136c89a107dd4458ad4bde6123359fd6
9.x - https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311
10.x - https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
Comment 2 Andrea Mattiazzo 2024-02-28 13:05:40 UTC 
Tracking as affected:
-SUSE:SLE-15-SP2:Update/tomcat
Comment 3 Andrea Mattiazzo 2024-02-28 13:06:59 UTC 
(In reply to Andrea Mattiazzo from comment #2)
> Tracking as affected:
> -SUSE:SLE-15-SP2:Update/tomcat

Miss typed, SUSE:SLE-12-SP4:Update/tomcat
Comment 4 Joyeta Modak 2024-03-01 17:25:57 UTC 
A customer is asking for the fix of CVE-2024-21733 on sles12-sp5. Is there an estimated date of release in the next MU.
Comment 7 Maintenance Automation 2024-03-11 08:30:01 UTC 
SUSE-SU-2024:0829-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1219023, 1220503
CVE References: CVE-2024-21733
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): tomcat-9.0.36-3.121.1
SUSE Linux Enterprise Server 12 SP5 (src): tomcat-9.0.36-3.121.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): tomcat-9.0.36-3.121.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 tomcat-maintainers 2024-07-08 10:35:32 UTC 
fixed