[thredds] Fwd: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Mon, 1 Mar 2021 09:14:37 -0700
Hello all,

A couple of new CVEs were issued for Tomcat, including one with a severity
designation of 'important' (see below).  Please be sure to keep your Tomcat
installations up-to-date with the most current version available.

Cheers,
Jennifer

CVE-2021-25122 h2c request mix-up
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0
> Apache Tomcat 9.0.0.M1 to 9.0.41
> Apache Tomcat 8.5.0 to 8.5.61
> Description:
> When responding to new h2c connection requests, Apache Tomcat could
> duplicate request headers and a limited amount of request body from one
> request to another meaning user A and user B could both see the results
> of user A's request.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 10.0.2 or later
> - Upgrade to Apache Tomcat 9.0.43 or later
> - Upgrade to Apache Tomcat 8.5.63 or later
> Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release
> votes for those versions did not pass.
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
> History:
> 2021-03-01 Original advisory
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
> [4] https://tomcat.apache.org/security-7.html
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: