https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Bug ID: 2130599 Summary: CVE-2021-43980: Apache Tomcat: Information disclosure Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amctagga@redhat.com CC: alee@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, gzaronikas@gmail.com, huwang@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, krzysztof.daniel@gmail.com Target Milestone: --- Classification: Other
Severity: important
Description:
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
Credit:
Thanks to Adam Thomas, Richard Hernandez and Ryan Schmitt for discovering the issue and working with the Tomcat security team to identify the root cause and appropriate fix.
References:
https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
amctagga@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2130601 CC| |jclere@redhat.com, | |jwon@redhat.com, | |krathod@redhat.com, | |mmadzin@redhat.com, | |peholase@redhat.com, | |pjindal@redhat.com, | |rhcs-maint@bot.bugzilla.red | |hat.com, szappis@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |low Summary|CVE-2021-43980: Apache |CVE-2021-43980 : Apache |Tomcat: Information |Tomcat: Information |disclosure |disclosure Severity|high |low
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
TEJ RATHI trathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2133649, 2133650
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2133649 [Bug 2133649] CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2133650 [Bug 2133650] CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
--- Comment #3 from TEJ RATHI trathi@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: epel-all [bug 2133649] Affects: fedora-all [bug 2133650]
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
TEJ RATHI trathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2133653, 2133652
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Aaron Ogburn aogburn@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aogburn@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Coty Sutherland csutherl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(trathi@redhat.com | |) CC| |trathi@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
TEJ RATHI trathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |chazlett@redhat.com Flags|needinfo?(trathi@redhat.com |needinfo?(chazlett@redhat.c |) |om)
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(chazlett@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |Tomcat 10.1.0-M14, Tomcat | |10.0.20, Tomcat 9.0.62, | |Tomcat 8.5.78 Flags| |needinfo?(security-response | |-team@redhat.com) CC| |security-response-team@redh | |at.com
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
--- Comment #13 from Chess Hazlett chazlett@redhat.com --- the AbstractProtocol code in jws-3 appears to predate the affected code significantly, and is not affected by this flaw. Calling JWS-3 notaffected.
https://bugzilla.redhat.com/show_bug.cgi?id=2130599
TEJ RATHI trathi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(security-response | |-team@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=2130599 Bug 2130599 depends on bug 2133650, which changed state.
Bug 2133650 Summary: CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2133650
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=2130599 Bug 2130599 depends on bug 2133649, which changed state.
Bug 2133649 Summary: CVE-2021-43980 tomcat: : Apache Tomcat: Information disclosure [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2133649
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |CURRENTRELEASE
java-sig-commits@lists.fedoraproject.org