Bug 1216182 - VUL-0: tomcat: Rapid reset attack impact (CVE-2023-44487)
Summary: VUL-0: tomcat: Rapid reset attack impact (CVE-2023-44487)
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/381685/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2023-44487
  Show dependency treegraph
 
Reported: 2023-10-12 13:07 UTC by Alexander Bergmann
Modified: 2024-05-07 07:51 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-10-12 13:07:37 UTC 
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14

Important: Denial of Service CVE-2023-44487

Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack. The denial of service typically manifested as an OutOfMemoryError.

This was fixed with commit 76bb4bfb.

This issue was reported to the Tomcat Security Team on 14 September 2023. The issue was made public on 10 October 2023.

Affects: 10.1.0-M1 to 10.1.13

Upstream commits:
https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49
https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e


We are tracking all "HTTP/2 Rapid Reset Attack" related bugs within bsc#1216123.
Comment 1 Fridrich Strba 2023-10-12 15:34:37 UTC 
We do not distribute tomcat 10. So none of our products is affected.
Comment 2 Alexander Bergmann 2023-10-13 07:44:19 UTC 
The tomcat 9 git repo has the same fix already.

https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a
Comment 3 OBSbugzilla Bot 2023-10-13 11:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216182) was mentioned in
https://build.opensuse.org/request/show/1117656 Factory / tomcat
Comment 5 Maintenance Automation 2023-10-19 08:54:45 UTC 
SUSE-SU-2023:4129-1: An update that solves two vulnerabilities and contains two features can now be installed.

Category: security (important)
Bug References: 1214666, 1216182
CVE References: CVE-2023-41080, CVE-2023-44487
Jira References: PED-6376, PED-6377
Sources used:
Web and Scripting Module 15-SP5 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): tomcat-9.0.82-150200.46.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): tomcat-9.0.82-150200.46.1
SUSE Manager Server 4.2 (src): tomcat-9.0.82-150200.46.1
SUSE Enterprise Storage 7.1 (src): tomcat-9.0.82-150200.46.1
Web and Scripting Module 15-SP4 (src): tomcat-9.0.82-150200.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Fridrich Strba 2024-03-05 09:33:35 UTC 
All tomcat versions have been patched.
Comment 11 Thomas Leroy 2024-05-07 07:51:53 UTC 
All done, closing.