GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Thu Dec 24, 2020 3:26 pm Post subject: [ GLSA 202012-23 ] Apache Tomcat |
 |
|
Gentoo Linux Security Advisory
Title: Apache Tomcat: Information disclosure (GLSA 202012-23)
Severity: low
Exploitable: remote
Date: 2020-12-24
Bug(s): #758338
ID: 202012-23
Synopsis
A vulnerability has been discovered in Apache Tomcat that allows
for the disclosure of sensitive information.
Background
Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.
Affected Packages
Package: www-servers/tomcat
Vulnerable: < 8.5.60
Vulnerable: < 9.0.40
Unaffected: >= 8.5.60
Unaffected: >= 9.0.40
Architectures: All supported architectures
Description
It was discovered that Apache Tomcat could re-use an HTTP request header
value from the previous stream received on an HTTP/2 connection for the
request associated with the subsequent stream.
Impact
A remote attacker, by sending well-timed HTTP/2 requests, could possibly
obtain sensitive information.
Workaround
Disable HTTP/2 support.
Resolution
All Apache Tomcat 8.5.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.60:8.5"
|
All Apache Tomcat 9.x users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-servers/tomcat-9.0.40:9"
|
References
CVE-2020-17527 |
|
News & Announcements
