We have received the notifications from the Apache Software Foundation via AusCERT concerning 2 separate security vulnerabilities in recent versions of Tomcat. These vulnerabilities warrant immediate patching, as they both could potentially be exploited to compromise security of a Tomcat server.
CVE-2017-7675 Apache Tomcat Cache Poisoning
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 9.0.0.M1 to 9.0.0.M21
- Apache Tomcat 8.5.0 to 8.5.15
Description:
The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL.
Mitigation:
Users of the affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
Credit:
The issue was reported as Bug 61120 and the security implications identified by the Apache Tomcat Security Team.
History:
2017-08-10 Original advisory
References:
- http://tomcat.apache.org/security-9.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-7.html
- https://bz.apache.org/bugzilla/show_bug.cgi?id=61120
CVE-2017-7674 Apache Tomcat Cache Poisoning
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 9.0.0.M1 to 9.0.0.M21
- Apache Tomcat 8.5.0 to 8.5.15
- Apache Tomcat 8.0.0.RC1 to 8.0.44
- Apache Tomcat 7.0.41 to 7.0.78
Description:
The CORS Filter did not an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Mitigation:
Users of the affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat 9.0.0.M22 or later
- Upgrade to Apache Tomcat 8.5.16 or later
- Upgrade to Apache Tomcat 8.0.45 or later
- Upgrade to Apache Tomcat 7.0.79 or later
Credit:
The issue was reported as Bug 61101 and the security implications identified by the Apache Tomcat Security Team.
History:
2017-08-10 Original advisory
References:
- http://tomcat.apache.org/security-9.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-7.html
- https://bz.apache.org/bugzilla/show_bug.cgi?id=61101
Comments