Bugzilla – Bug 1180947
VUL-0: CVE-2021-24122: tomcat6,tomcat: Apache Tomcat Information Disclosure
Last modified: 2021-09-14 15:44:55 UTC
through oss CVE-2021-24122 Apache Tomcat Information Disclosure Severity: Important Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M9 Apache Tomcat 9.0.0.M1 to 9.0.39 Apache Tomcat 8.5.0 to 8.5.59 Apache Tomcat 7.0.0 to 7.0.106 Description: When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.0-M10 or later - Upgrade to Apache Tomcat 9.0.40 or later - Upgrade to Apache Tomcat 8.5.60 or later - Upgrade to Apache Tomcat 7.0.107 or later Credit: This issue was identified by Ilja Brander. References: https://tomcat.apache.org/security-10.html https://tomcat.apache.org/security-9.html https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-7.html http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24122 http://seclists.org/oss-sec/2021/q1/39
I am not sure whether this is an Windows only issue. The corresponding commit fix can be found at the references of comment 0. Tracking tomcat in 12-SP2,SP4,15,15-SP1 and 15-SP2 as affected. Please upgrade Factory too.
Hi Alexandros, I wasn't able to take a look at this issue this week, because of some other commitments. Hopefully, I will manage to reserve some time for this next week. Sorry for the inconvenience. Abid
SUSE-SU-2021:0531-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180947 CVE References: CVE-2021-24122 JIRA References: Sources used: SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src): tomcat-9.0.36-3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:0530-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180947 CVE References: CVE-2021-24122 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): tomcat-9.0.36-3.61.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0330-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1180947 CVE References: CVE-2021-24122 JIRA References: Sources used: openSUSE Leap 15.2 (src): tomcat-9.0.36-lp152.2.19.1
Hi Alexandros, MR for SLE-12-SP1 has been rejected with the following message `This codestream is EOL, if in doubt please contact the security team` https://build.suse.de/request/show/238101 For all others, MRs have been already accepted and tomcat6 doesn't seem to get affected. Please let me know how to proceed from here.
SUSE-SU-2021:0989-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1180947,1182909,1182912 CVE References: CVE-2021-24122,CVE-2021-25122,CVE-2021-25329 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): tomcat-9.0.36-3.79.1 SUSE Linux Enterprise Server 15-LTSS (src): tomcat-9.0.36-3.79.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): tomcat-9.0.36-3.79.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): tomcat-9.0.36-3.79.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1009-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1180947,1182909,1182912 CVE References: CVE-2021-24122,CVE-2021-25122,CVE-2021-25329 JIRA References: Sources used: SUSE Manager Server 4.0 (src): tomcat-9.0.36-4.58.1 SUSE Manager Retail Branch Server 4.0 (src): tomcat-9.0.36-4.58.1 SUSE Manager Proxy 4.0 (src): tomcat-9.0.36-4.58.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): tomcat-9.0.36-4.58.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): tomcat-9.0.36-4.58.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): tomcat-9.0.36-4.58.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): tomcat-9.0.36-4.58.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): tomcat-9.0.36-4.58.1 SUSE Enterprise Storage 6 (src): tomcat-9.0.36-4.58.1 SUSE CaaS Platform 4.0 (src): tomcat-9.0.36-4.58.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Hi Alexandros, Sorry, it took so long for SLE 11, I was on vacation. Patches (https://build.suse.de/request/show/239657) have been submitted for SLE11, both for this bug and for https://bugzilla.suse.com/show_bug.cgi?id=1059554
SUSE-SU-2021:14705-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1059554,1180947,1182909 CVE References: CVE-2017-12617,CVE-2021-24122,CVE-2021-25329 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): tomcat6-6.0.53-0.57.19.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): tomcat6-6.0.53-0.57.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
It has been quite some time that this bug is open even though all the patches have been submitted. Any update?
This can be closed