Versions Compared

Old Version 74

changes.mady.by.user Bart Adriaanse

Saved on

compared with

New Version 75

changes.mady.by.user André Speelmans

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

dateCVEdescriptionversionsRisk for Delft-FEWSJIRAupgrade strategy
October 2023

CVE-2023-42795

When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

  • 10.1.0 - 10.1.13
  • 9.0.0 - 9.0.80


Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

October 2023

CVE-2023-44487

Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack.

The denial of service typically manifested as an OutOfMemoryError.

  • 10.1.0 - 10.1.13
  • 9.0.0 - 9.0.80


Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

October 2023

CVE-2023-45648

Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

  • 10.1.0 - 10.1.13
  • 9.0.0 - 9.0.80


Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

June 2023CVE-2023-34981A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.
  • Apache Tomcat 10.1.8
  • Apache Tomcat 9.0.74
None, we do not use AJP proxy

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

May 2023CVE-2022-28079The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

...