Bug 1182909 – VUL-0: CVE-2021-25329: tomcat,tomcat6: Apache Tomcat Incomplete fix for

Bug 1182909 - (CVE-2021-25329) VUL-0: CVE-2021-25329: tomcat,tomcat6: Apache Tomcat Incomplete fix for

(CVE-2021-25329)
Summary:	VUL-0: CVE-2021-25329: tomcat,tomcat6: Apache Tomcat Incomplete fix for

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/278744/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-25329:7.0:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-03-02 10:11 UTC by Robert Frohl
Modified:	2021-09-14 15:45 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2021-03-02 10:11:26 UTC

CVE-2021-25329

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to
10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a
configuration edge case that was highly unlikely to be used, the Tomcat instance
was still vulnerable to CVE-2020-9494. Note that both the previously published
prerequisites for CVE-2020-9484 and the previously published mitigations for
CVE-2020-9484 also apply to this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25329
http://www.openwall.com/lists/oss-security/2021/03/01/2
http://seclists.org/oss-sec/2021/q1/184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E

Comment 1 Robert Frohl 2021-03-02 10:36:53 UTC

tracking as affected:

tomcat:
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP4:Update
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-15-SP2:Update

tomcat6:
- SUSE:SLE-11:Update

a bit unsure about tomcat6, please correct me if this assessment is wrong.

Comment 2 Robert Frohl 2021-03-02 10:41:44 UTC

fix, from tomcat 10.x branch: 
https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4

Comment 6 Swamp Workflow Management 2021-03-30 19:21:39 UTC

SUSE-SU-2021:0988-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182909,1182912
CVE References: CVE-2021-25122,CVE-2021-25329
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    tomcat-9.0.36-3.64.1
SUSE OpenStack Cloud 9 (src):    tomcat-9.0.36-3.64.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    tomcat-9.0.36-3.64.1
SUSE Linux Enterprise Server 12-SP5 (src):    tomcat-9.0.36-3.64.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    tomcat-9.0.36-3.64.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2021-03-30 19:23:00 UTC

SUSE-SU-2021:0989-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180947,1182909,1182912
CVE References: CVE-2021-24122,CVE-2021-25122,CVE-2021-25329
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    tomcat-9.0.36-3.79.1
SUSE Linux Enterprise Server 15-LTSS (src):    tomcat-9.0.36-3.79.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    tomcat-9.0.36-3.79.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    tomcat-9.0.36-3.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2021-04-01 19:15:53 UTC

SUSE-SU-2021:1008-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182909,1182912
CVE References: CVE-2021-25122,CVE-2021-25329
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    tomcat-9.0.36-3.24.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    tomcat-9.0.36-3.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-04-01 19:19:12 UTC

SUSE-SU-2021:1009-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1180947,1182909,1182912
CVE References: CVE-2021-24122,CVE-2021-25122,CVE-2021-25329
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    tomcat-9.0.36-4.58.1
SUSE Manager Retail Branch Server 4.0 (src):    tomcat-9.0.36-4.58.1
SUSE Manager Proxy 4.0 (src):    tomcat-9.0.36-4.58.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    tomcat-9.0.36-4.58.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    tomcat-9.0.36-4.58.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    tomcat-9.0.36-4.58.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    tomcat-9.0.36-4.58.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    tomcat-9.0.36-4.58.1
SUSE Enterprise Storage 6 (src):    tomcat-9.0.36-4.58.1
SUSE CaaS Platform 4.0 (src):    tomcat-9.0.36-4.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2021-04-02 13:16:29 UTC

openSUSE-SU-2021:0496-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182909,1182912
CVE References: CVE-2021-25122,CVE-2021-25329
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    tomcat-9.0.36-lp152.2.22.1

Comment 13 Swamp Workflow Management 2021-04-21 16:29:21 UTC

SUSE-SU-2021:14705-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1059554,1180947,1182909
CVE References: CVE-2017-12617,CVE-2021-24122,CVE-2021-25329
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    tomcat6-6.0.53-0.57.19.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    tomcat6-6.0.53-0.57.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 14 Abid Mehmood 2021-04-23 08:21:54 UTC

Patches have been submitted for all the affected packages. Nothing further to be done from our side.

Comment 16 Swamp Workflow Management 2021-04-29 13:25:20 UTC

SUSE-SU-2021:1431-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1182909
CVE References: CVE-2021-25329
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    tomcat-8.0.53-29.46.1
SUSE OpenStack Cloud 8 (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (src):    tomcat-8.0.53-29.46.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    tomcat-8.0.53-29.46.1
HPE Helion Openstack 8 (src):    tomcat-8.0.53-29.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 17 Abid Mehmood 2021-09-10 09:51:22 UTC

It has been quite some time that this bug is open even though all the patches have been submitted. Any update?

Comment 18 Gianluca Gabrielli 2021-09-14 15:45:42 UTC

resolved