SUSE SLES15: tomcat / tomcat-admin-webapps / tomcat-el-3_0-api / etc (SUSE-SU-2023:4129-1)

medium Nessus Plugin ID 183494

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4129-1 advisory.

Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):

- Security issues fixed:

* CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
* CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)

- Update to Tomcat 9.0.82:

* Catalina

- Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
- Fix: Fix handling of an error reading a context descriptor on deployment.
- Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence.
- Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged.
- Add: Improve handling of failures within recycle() methods.

* Coyote

- Fix: 67670: Fix regression with HTTP compression after code refactoring.
- Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server.
- Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete.
- Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle.
- Fix: Fix logic issue trying to match no argument method in IntropectionUtil.
- Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint.
- Fix: Avoid rare thread safety issue accessing message digest map.
- Fix: Improve statistics collection for upgraded connections under load.
- Fix: Align validation of HTTP trailer fields with standard fields.
- Fix: Improvements to HTTP/2 overhead protection (bsc#1216182, CVE-2023-44487)

* jdbc-pool

- Fix: 67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 9.0.81 that broke the jdbc-pool.

* Jasper

- Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects

- Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):

* Catalina:

- Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks
- Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods.
- Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21.
- Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore.
- Ensure that the default servlet correctly escapes file names in directory listings when using XML output.
- Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT.
- Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.
+ Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false as support for the associated HTTP header has been removed from all major browsers.
+ Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries.
+ Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.
+ Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false.
+ Add utility config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible.
+ Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
+ Make parsing of ExtendedAccessLogValve patterns more robust.
+ Fix failure trying to persist configuration for an internal credential handler.
+ When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable.
+ Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.
+ Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.
+ The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first.
+ If an application or library sets both a non-500 error code and the javax.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
+ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.

* Coyote:

+ Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined in RFC 7540.
+ Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.
+ Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion.
+ Correct certificate logging on start-up so it differentiates between keystore based keys/certificates:
PEM file based keys/certificates and logs the relevant information for each.
+ Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write.
+ Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.
+ Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.
+ Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
+ Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it.
+ Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.
+ When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
+ Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream.

* WebSocket:

+ Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used.
+ Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
+ Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed.
+ Fix a NullPointerException when flushing batched messages with compression enabled using permessage- deflate.

* Web applications:

+ Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration section for the Digest authentication value.
+ Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property.
+ Documentation: Fix a typo in the name of the algorithms + Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.

* jdbc-pool:

+ Fix the releaseIdleCounter does not increment when testAllIdle releases them.
+ Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing.

* Other:

+ Update to Commons Daemon 1.3.4.
+ Improvements to French translations.
+ Update Checkstyle to 10.12.0.
+ Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u.
+ Include the Windows specific binary distributions in the files uploaded to Maven Central.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Update UnboundID to 6.0.9.
+ Update Checkstyle to 10.12.1.
+ Update BND to 6.4.1.66665:
+ Update JSign to 5.0.
+ Correct properties for JSign dependency.
+ Align documentation for maxParameterCount to match hard-coded defaults.
+ Update NSIS to 3.0.9.
+ Update Checkstyle to 10.12.2.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces.
+ Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.
+ Improvements to Chinese translations.
+ Improvements to French translations.
+ Improvements to Japanese translations

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1214666

https://bugzilla.suse.com/1216182

https://www.suse.com/security/cve/CVE-2023-41080

https://www.suse.com/security/cve/CVE-2023-44487

http://www.nessus.org/u?060034cc

Plugin Details

Severity: Medium

ID: 183494

File Name: suse_SU-2023-4129-1.nasl

Version: 1.5

Type: Local

Agent: unix

Published: 10/20/2023

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

Percentile: 98.44

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2023-41080

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2023-44487

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:tomcat-jsp-2_3-api, p-cpe:/a:novell:suse_linux:tomcat-servlet-4_0-api, cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:tomcat, p-cpe:/a:novell:suse_linux:tomcat-el-3_0-api, p-cpe:/a:novell:suse_linux:tomcat-webapps, p-cpe:/a:novell:suse_linux:tomcat-lib, p-cpe:/a:novell:suse_linux:tomcat-admin-webapps

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/19/2023

Vulnerability Publication Date: 8/25/2023

CISA Known Exploited Vulnerability Due Dates: 10/31/2023

Reference Information

CVE: CVE-2023-41080, CVE-2023-44487

IAVA: 2023-A-0443-S, 2023-A-0534-S

IAVB: 2023-B-0083-S

SuSE: SUSE-SU-2023:4129-1