Hello all,
If you're running your tomcat instance behind a reverse proxy, please see
the following CVE advisory:
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Jun 21, 2023 at 4:24 AM
Subject: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
CVE-2023-34981 Apache Tomcat - Information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88
Description:
The fix for bug 66512 introduced a regression that was fixed as bug
66591. The regression meant that, if a response did not have any HTTP
headers set, no AJP SEND_HEADERS message would be sent which in turn
meant that at least one AJP based proxy (mod_proxy_ajp) would use the
response headers from the previous request for the current request
leading to an information leak.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M6 or later
- Upgrade to Apache Tomcat 10.1.9 or later
- Upgrade to Apache Tomcat 9.0.75 or later
- Upgrade to Apache Tomcat 8.5.89 or later
Credit:
Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.
History:
2023-06-21 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html
[5] https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
[6] https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
