Re: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
Cherish the word as gold. Regards, r00t4dm Cloud-Penetrating Arrow Lab of Meituan Corp Information Security Department > 2021年3月5日 下午5:48,Mark Thomas 写道: > > On 05/03/2021 08:20, Kursu, Teemu wrote: >> Hi, >> Just to make sure that I understand this correctly. Does this vulnerability >> affect in both http1.1 and http2 protocols? > > No. > >> I mean is this vulnerability still relevant if HTTP Upgrade Protocol is not >> implemented in server.xml? > > No. > > Mark > >> Regards, >> Teemu Kursu >> -Original Message- >> From: Mark Thomas >> Sent: maanantai 1. maaliskuuta 2021 13.05 >> To: Tomcat Users List >> Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat Developers List >> >> Subject: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up >> CVE-2021-25122 h2c request mix-up >> Severity: Important >> Vendor: The Apache Software Foundation >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0 >> Apache Tomcat 9.0.0.M1 to 9.0.41 >> Apache Tomcat 8.5.0 to 8.5.61 >> Description: >> When responding to new h2c connection requests, Apache Tomcat could >> duplicate request headers and a limited amount of request body from one >> request to another meaning user A and user B could both see the results of >> user A's request. >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Upgrade to Apache Tomcat 10.0.2 or later >> - Upgrade to Apache Tomcat 9.0.43 or later >> - Upgrade to Apache Tomcat 8.5.63 or later >> Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes >> for those versions did not pass. >> Credit: >> This issue was identified by the Apache Tomcat Security Team. >> History: >> 2021-03-01 Original advisory >> References: >> [1] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-10.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTy9fRppI$ >> [2] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTIcr_boE$ >> [3] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-8.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTo3daRfo$ >> [4] >> https://urldefense.com/v3/__https://tomcat.apache.org/security-7.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTaVldwns$ >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
On 05/03/2021 08:20, Kursu, Teemu wrote: Hi, Just to make sure that I understand this correctly. Does this vulnerability affect in both http1.1 and http2 protocols? No. I mean is this vulnerability still relevant if HTTP Upgrade Protocol is not implemented in server.xml? No. Mark Regards, Teemu Kursu -Original Message- From: Mark Thomas Sent: maanantai 1. maaliskuuta 2021 13.05 To: Tomcat Users List Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat Developers List Subject: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://urldefense.com/v3/__https://tomcat.apache.org/security-10.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTy9fRppI$ [2] https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTIcr_boE$ [3] https://urldefense.com/v3/__https://tomcat.apache.org/security-8.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTo3daRfo$ [4] https://urldefense.com/v3/__https://tomcat.apache.org/security-7.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTaVldwns$ - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
Hi, Just to make sure that I understand this correctly. Does this vulnerability affect in both http1.1 and http2 protocols? I mean is this vulnerability still relevant if HTTP Upgrade Protocol is not implemented in server.xml? Regards, Teemu Kursu -Original Message- From: Mark Thomas Sent: maanantai 1. maaliskuuta 2021 13.05 To: Tomcat Users List Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat Developers List Subject: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://urldefense.com/v3/__https://tomcat.apache.org/security-10.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTy9fRppI$ [2] https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTIcr_boE$ [3] https://urldefense.com/v3/__https://tomcat.apache.org/security-8.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTo3daRfo$ [4] https://urldefense.com/v3/__https://tomcat.apache.org/security-7.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTaVldwns$
[SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up
CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.2 or later - Upgrade to Apache Tomcat 9.0.43 or later - Upgrade to Apache Tomcat 8.5.63 or later Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass. Credit: This issue was identified by the Apache Tomcat Security Team. History: 2021-03-01 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html [4] https://tomcat.apache.org/security-7.html OpenPGP_signature Description: OpenPGP digital signature
