Debian DSA-4952-1 : tomcat9 - security update

medium Nessus Plugin ID 152418



The remote Debian host is missing one or more security-related updates.


The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4952 advisory.

- A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

- Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade the tomcat9 packages.

For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u5.

See Also

Plugin Details

Severity: Medium

ID: 152418

File Name: debian_DSA-4952.nasl

Version: 1.3

Type: local

Agent: unix

Published: 8/10/2021

Updated: 1/26/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

CVSS Score Source: CVE-2021-30640


Risk Factor: Medium

Score: 5


Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libtomcat9-embed-java, p-cpe:/a:debian:debian_linux:libtomcat9-java, p-cpe:/a:debian:debian_linux:tomcat9, p-cpe:/a:debian:debian_linux:tomcat9-admin, p-cpe:/a:debian:debian_linux:tomcat9-common, p-cpe:/a:debian:debian_linux:tomcat9-docs, p-cpe:/a:debian:debian_linux:tomcat9-examples, p-cpe:/a:debian:debian_linux:tomcat9-user, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/9/2021

Vulnerability Publication Date: 5/12/2021

Reference Information

CVE: CVE-2021-30640, CVE-2021-33037

IAVA: 2021-A-0303-S