Security Information / 2020 / Security Information -- DSA-4680-1 tomcat9

Debian Security Advisory

DSA-4680-1 tomcat9 -- security update

Date Reported:

06 May 2020

Affected Packages:

tomcat9

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-10072, CVE-2019-12418, CVE-2019-17563, CVE-2019-17569, CVE-2020-1935, CVE-2020-1938.

More information:

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.

For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute secretRequired is set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html before the deploying the update.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9