Author: markt
Date: Mon Feb 24 12:46:42 2020
New Revision: 1874444
URL: http://svn.apache.org/viewvc?rev=1874444&view=rev
Log:
Publish CVE-2019-17569, CVE-2020-1935 and CVE-2020-1938
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Feb 24 12:46:42 2020
@@ -2,7 +2,7 @@
<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><meta name="viewport" content="width=device-width,
initial-scale=1"><link href="res/css/tomcat.css" rel="stylesheet"
type="text/css"><link href="res/css/fonts/fonts.css" rel="stylesheet"
type="text/css"><title>Apache Tomcat® - Apache Tomcat 7
vulnerabilities</title><meta name="author" content="Apache Tomcat
Project"></head><body><div id="wrapper"><header id="header"><div
class="clearfix"><div class="menu-toggler pull-left" tabindex="1"><div
class="hamburger"></div></div><a href="http://tomcat.apache.org/";><img
class="tomcat-logo pull-left noPrint" alt="Tomcat Home"
src="res/images/tomcat.png"></a><h1 class="pull-left">Apache
Tomcat<sup>®</sup></h1><div class="asf-logos pull-right"><a
href="https://www.apache.org/foundation/contributing.html"; target="_blank"
class="pull-left"><img
src="https://www.apache.org/images/SupportApache-small.png"; class="support-asf"
alt="Support Apache"></a><a h
ref="http://www.apache.org/"; target="_blank" class="pull-left"><img
src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software
Foundation"></a></div></div></header><main id="middle"><div><div
id="mainLeft"><div id="nav-wrapper"><form
action="https://www.google.com/search"; method="get"><div
class="searchbox"><input value="tomcat.apache.org" name="sitesearch"
type="hidden"><input aria-label="Search text" placeholder="Search…"
required="required" name="q" id="query"
type="search"><button>GO</button></div></form><div class="asfevents"><a
href="https://www.apache.org/events/current-event.html";><img
src="https://www.apache.org/events/current-event-234x60.png"; alt="Next ASF
event"><br>
Save the date!
</a></div><nav><div><h2>Apache Tomcat</h2><ul><li><a
href="./index.html">Home</a></li><li><a
href="./taglibs.html">Taglibs</a></li><li><a href="./maven-plugin.html">Maven
Plugin</a></li></ul></div><div><h2>Download</h2><ul><li><a
href="./whichversion.html">Which version?</a></li><li><a
href="https://tomcat.apache.org/download-90.cgi";>Tomcat 9</a></li><li><a
href="https://tomcat.apache.org/download-80.cgi";>Tomcat 8</a></li><li><a
href="https://tomcat.apache.org/download-70.cgi";>Tomcat 7</a></li><li><a
href="https://tomcat.apache.org/download-connectors.cgi";>Tomcat
Connectors</a></li><li><a
href="https://tomcat.apache.org/download-native.cgi";>Tomcat
Native</a></li><li><a
href="https://tomcat.apache.org/download-taglibs.cgi";>Taglibs</a></li><li><a
href="https://archive.apache.org/dist/tomcat/";>Archives</a></li></ul></div><div><h2>Documentation</h2><ul><li><a
href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a></li><li><a
href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a></li><l
i><a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a></li><li><a
href="./connectors-doc/">Tomcat Connectors</a></li><li><a
href="./native-doc/">Tomcat Native</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT";>Wiki</a></li><li><a
href="./migration.html">Migration Guide</a></li><li><a
href="./presentations.html">Presentations</a></li></ul></div><div><h2>Problems?</h2><ul><li><a
href="./security.html">Security Reports</a></li><li><a
href="./findhelp.html">Find help</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQ</a></li><li><a
href="./lists.html">Mailing Lists</a></li><li><a href="./bugreport.html">Bug
Database</a></li><li><a href="./irc.html">IRC</a></li></ul></div><div><h2>Get
Involved</h2><ul><li><a href="./getinvolved.html">Overview</a></li><li><a
href="./source.html">Source code</a></li><li><a
href="./ci.html">Buildbot</a></li><li><a
href="https://cwiki.apache.org/confluence/x/vIPzBQ";>Translations</a></li><li><a
href="./tools
.html">Tools</a></li></ul></div><div><h2>Media</h2><ul><li><a
href="https://twitter.com/theapachetomcat";>Twitter</a></li><li><a
href="https://www.youtube.com/c/ApacheTomcatOfficial";>YouTube</a></li><li><a
href="https://blogs.apache.org/tomcat/";>Blog</a></li></ul></div><div><h2>Misc</h2><ul><li><a
href="./whoweare.html">Who We Are</a></li><li><a
href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>Swag</a></li><li><a
href="./heritage.html">Heritage</a></li><li><a
href="http://www.apache.org";>Apache Home</a></li><li><a
href="./resources.html">Resources</a></li><li><a
href="./contact.html">Contact</a></li><li><a
href="./legal.html">Legal</a></li><li><a
href="https://www.apache.org/foundation/contributing.html";>Support
Apache</a></li><li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li><li><a
href="http://www.apache.org/foundation/thanks.html";>Thanks</a></li><li><a
href="http://www.apache.org/licenses/";>License</a></li></ul></div></
nav></div></div><div id="mainRight"><div id="content"><h2 style="display:
none;">Content</h2><h3 id="Table_of_Contents">Table of Contents</h3><div
class="text">
-<ul><li><a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.99">Fixed in
Apache Tomcat 7.0.99</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.94">Fixed
in Apache Tomcat 7.0.94</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.91">Fixed in Apache Tomcat
7.0.91</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.90">Fixed in Apache
Tomcat 7.0.90</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.89">Fixed in
Apache Tomcat 7.0.89</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.88">Fixed
in Apache Tomcat 7.0.88</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.85">Fixed in Apache Tomcat
7.0.85</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.84">Fixed in Apache
Tomcat 7.0.84</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.82">Fixed in
Apache Tomcat 7.0.82</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.81">Fixed
in Apache Tomcat 7.0.81</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.79">Fixed in Apache Tomcat 7.0.
79</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.78">Fixed in Apache Tomcat
7.0.78</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.77">Fixed in Apache
Tomcat 7.0.77</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.76">Fixed in
Apache Tomcat 7.0.76</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.75">Fixed
in Apache Tomcat 7.0.75</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.73">Fixed in Apache Tomcat
7.0.73</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.72">Fixed in Apache
Tomcat 7.0.72</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.70">Fixed in
Apache Tomcat 7.0.70</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.68">Fixed
in Apache Tomcat 7.0.68</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.67">Fixed in Apache Tomcat
7.0.67</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.65">Fixed in Apache
Tomcat 7.0.65</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.59">Fixed in
Apache Tomcat 7.0.59</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.55">Fixed
in Apache Tomcat 7.0.5
5</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.54">Fixed in Apache Tomcat
7.0.54</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.53">Fixed in Apache
Tomcat 7.0.53</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.52">Fixed in
Apache Tomcat 7.0.52</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.50">Fixed
in Apache Tomcat 7.0.50</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.47">Fixed in Apache Tomcat
7.0.47</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.40">Fixed in Apache
Tomcat 7.0.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.33">Fixed in
Apache Tomcat 7.0.33</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.32">Fixed
in Apache Tomcat 7.0.32</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in Apache Tomcat
7.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed in Apache
Tomcat 7.0.28</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in
Apache Tomcat 7.0.23</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.22">Fixed
in Apache Tomcat 7.0.22
</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.21">Fixed in Apache Tomcat
7.0.21</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.20">Fixed in Apache
Tomcat 7.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.19">Fixed in
Apache Tomcat 7.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.14">Fixed
in Apache Tomcat 7.0.14</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.12">Fixed in Apache Tomcat
7.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.11">Fixed in Apache
Tomcat 7.0.11</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.8">Fixed in
Apache Tomcat 7.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.6">Fixed
in Apache Tomcat 7.0.6</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.5">Fixed in Apache Tomcat
7.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.4">Fixed in Apache
Tomcat 7.0.4</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed in
Apache Tomcat 7.0.2</a></li><li><a href="#Not_a_vulnerability_in_Tomcat">Not a
vulnerability in Tomcat</a></li></
ul>
+<ul><li><a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.100">Fixed in
Apache Tomcat 7.0.100</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.99">Fixed in Apache Tomcat
7.0.99</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.94">Fixed in Apache
Tomcat 7.0.94</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.91">Fixed in
Apache Tomcat 7.0.91</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.90">Fixed
in Apache Tomcat 7.0.90</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.89">Fixed in Apache Tomcat
7.0.89</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.88">Fixed in Apache
Tomcat 7.0.88</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.85">Fixed in
Apache Tomcat 7.0.85</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.84">Fixed
in Apache Tomcat 7.0.84</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.82">Fixed in Apache Tomcat
7.0.82</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.81">Fixed in Apache
Tomcat 7.
0.81</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.79">Fixed in Apache
Tomcat 7.0.79</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.78">Fixed in
Apache Tomcat 7.0.78</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.77">Fixed
in Apache Tomcat 7.0.77</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.76">Fixed in Apache Tomcat
7.0.76</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.75">Fixed in Apache
Tomcat 7.0.75</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.73">Fixed in
Apache Tomcat 7.0.73</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.72">Fixed
in Apache Tomcat 7.0.72</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.70">Fixed in Apache Tomcat
7.0.70</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.68">Fixed in Apache
Tomcat 7.0.68</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.67">Fixed in
Apache Tomcat 7.0.67</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.65">Fixed
in Apache Tomcat 7.0.65</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.59">Fixed in Apache Tomcat 7.0
.59</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.55">Fixed in Apache
Tomcat 7.0.55</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.54">Fixed in
Apache Tomcat 7.0.54</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.53">Fixed
in Apache Tomcat 7.0.53</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.52">Fixed in Apache Tomcat
7.0.52</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.50">Fixed in Apache
Tomcat 7.0.50</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.47">Fixed in
Apache Tomcat 7.0.47</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.40">Fixed
in Apache Tomcat 7.0.40</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.33">Fixed in Apache Tomcat
7.0.33</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.32">Fixed in Apache
Tomcat 7.0.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.30">Fixed in
Apache Tomcat 7.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.28">Fixed
in Apache Tomcat 7.0.28</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.23">Fixed in Apache Tomcat 7.0.
23</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.22">Fixed in Apache Tomcat
7.0.22</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.21">Fixed in Apache
Tomcat 7.0.21</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.20">Fixed in
Apache Tomcat 7.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.19">Fixed
in Apache Tomcat 7.0.19</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.14">Fixed in Apache Tomcat
7.0.14</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.12">Fixed in Apache
Tomcat 7.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.11">Fixed in
Apache Tomcat 7.0.11</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.8">Fixed
in Apache Tomcat 7.0.8</a></li><li><a
href="#Fixed_in_Apache_Tomcat_7.0.6">Fixed in Apache Tomcat
7.0.6</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.5">Fixed in Apache
Tomcat 7.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.4">Fixed in
Apache Tomcat 7.0.4</a></li><li><a href="#Fixed_in_Apache_Tomcat_7.0.2">Fixed
in Apache Tomcat 7.0.2</a></li>
<li><a href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in
Tomcat</a></li></ul>
</div><h3 id="Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x
vulnerabilities</h3><div class="text">
<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 7.x. Each vulnerability is given a
@@ -39,6 +39,97 @@
<a href="security.html">Tomcat Security Team</a>. Thank you.
</p>
+ </div><h3 id="Fixed_in_Apache_Tomcat_7.0.100"><span class="pull-right">14
February 2020</span> Fixed in Apache Tomcat 7.0.100</h3><div class="text">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938";
rel="nofollow">CVE-2020-1938</a></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 7.0.100,
Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 7.0.100 to harden the default
+ configuration. It is likely that users upgrading to 7.0.100 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <a href="https://github.com/apache/tomcat/commit/0d633e7";>0d633e7</a>,
+ <a href="https://github.com/apache/tomcat/commit/40d5d93";>40d5d93</a>,
+ <a href="https://github.com/apache/tomcat/commit/b99fba5";>b99fba5</a>
and
+ <a
href="https://github.com/apache/tomcat/commit/f7180ba";>f7180ba</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 7.0.0 to 7.0.99</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935";
rel="nofollow">CVE-2020-1935</a></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/702bf15";>702bf15</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 7.0.0 to 7.0.99</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569";
rel="nofollow">CVE-2019-17569</a></p>
+
+ <p>The refactoring in 7.0.98 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/b191a0d";>b191a0d</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 7.0.98 to 7.0.99</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_7.0.99"><span class="pull-right">17
December 2019</span> Fixed in Apache Tomcat 7.0.99</h3><div class="text">
<p><strong>Low: Session fixation</strong>
Modified: tomcat/site/trunk/docs/security-8.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Mon Feb 24 12:46:42 2020
@@ -2,7 +2,7 @@
<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><meta name="viewport" content="width=device-width,
initial-scale=1"><link href="res/css/tomcat.css" rel="stylesheet"
type="text/css"><link href="res/css/fonts/fonts.css" rel="stylesheet"
type="text/css"><title>Apache Tomcat® - Apache Tomcat 8
vulnerabilities</title><meta name="author" content="Apache Tomcat
Project"></head><body><div id="wrapper"><header id="header"><div
class="clearfix"><div class="menu-toggler pull-left" tabindex="1"><div
class="hamburger"></div></div><a href="http://tomcat.apache.org/";><img
class="tomcat-logo pull-left noPrint" alt="Tomcat Home"
src="res/images/tomcat.png"></a><h1 class="pull-left">Apache
Tomcat<sup>®</sup></h1><div class="asf-logos pull-right"><a
href="https://www.apache.org/foundation/contributing.html"; target="_blank"
class="pull-left"><img
src="https://www.apache.org/images/SupportApache-small.png"; class="support-asf"
alt="Support Apache"></a><a h
ref="http://www.apache.org/"; target="_blank" class="pull-left"><img
src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software
Foundation"></a></div></div></header><main id="middle"><div><div
id="mainLeft"><div id="nav-wrapper"><form
action="https://www.google.com/search"; method="get"><div
class="searchbox"><input value="tomcat.apache.org" name="sitesearch"
type="hidden"><input aria-label="Search text" placeholder="Search…"
required="required" name="q" id="query"
type="search"><button>GO</button></div></form><div class="asfevents"><a
href="https://www.apache.org/events/current-event.html";><img
src="https://www.apache.org/events/current-event-234x60.png"; alt="Next ASF
event"><br>
Save the date!
</a></div><nav><div><h2>Apache Tomcat</h2><ul><li><a
href="./index.html">Home</a></li><li><a
href="./taglibs.html">Taglibs</a></li><li><a href="./maven-plugin.html">Maven
Plugin</a></li></ul></div><div><h2>Download</h2><ul><li><a
href="./whichversion.html">Which version?</a></li><li><a
href="https://tomcat.apache.org/download-90.cgi";>Tomcat 9</a></li><li><a
href="https://tomcat.apache.org/download-80.cgi";>Tomcat 8</a></li><li><a
href="https://tomcat.apache.org/download-70.cgi";>Tomcat 7</a></li><li><a
href="https://tomcat.apache.org/download-connectors.cgi";>Tomcat
Connectors</a></li><li><a
href="https://tomcat.apache.org/download-native.cgi";>Tomcat
Native</a></li><li><a
href="https://tomcat.apache.org/download-taglibs.cgi";>Taglibs</a></li><li><a
href="https://archive.apache.org/dist/tomcat/";>Archives</a></li></ul></div><div><h2>Documentation</h2><ul><li><a
href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a></li><li><a
href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a></li><l
i><a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a></li><li><a
href="./connectors-doc/">Tomcat Connectors</a></li><li><a
href="./native-doc/">Tomcat Native</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT";>Wiki</a></li><li><a
href="./migration.html">Migration Guide</a></li><li><a
href="./presentations.html">Presentations</a></li></ul></div><div><h2>Problems?</h2><ul><li><a
href="./security.html">Security Reports</a></li><li><a
href="./findhelp.html">Find help</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQ</a></li><li><a
href="./lists.html">Mailing Lists</a></li><li><a href="./bugreport.html">Bug
Database</a></li><li><a href="./irc.html">IRC</a></li></ul></div><div><h2>Get
Involved</h2><ul><li><a href="./getinvolved.html">Overview</a></li><li><a
href="./source.html">Source code</a></li><li><a
href="./ci.html">Buildbot</a></li><li><a
href="https://cwiki.apache.org/confluence/x/vIPzBQ";>Translations</a></li><li><a
href="./tools
.html">Tools</a></li></ul></div><div><h2>Media</h2><ul><li><a
href="https://twitter.com/theapachetomcat";>Twitter</a></li><li><a
href="https://www.youtube.com/c/ApacheTomcatOfficial";>YouTube</a></li><li><a
href="https://blogs.apache.org/tomcat/";>Blog</a></li></ul></div><div><h2>Misc</h2><ul><li><a
href="./whoweare.html">Who We Are</a></li><li><a
href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>Swag</a></li><li><a
href="./heritage.html">Heritage</a></li><li><a
href="http://www.apache.org";>Apache Home</a></li><li><a
href="./resources.html">Resources</a></li><li><a
href="./contact.html">Contact</a></li><li><a
href="./legal.html">Legal</a></li><li><a
href="https://www.apache.org/foundation/contributing.html";>Support
Apache</a></li><li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li><li><a
href="http://www.apache.org/foundation/thanks.html";>Thanks</a></li><li><a
href="http://www.apache.org/licenses/";>License</a></li></ul></div></
nav></div></div><div id="mainRight"><div id="content"><h2 style="display:
none;">Content</h2><h3 id="Table_of_Contents">Table of Contents</h3><div
class="text">
-<ul><li><a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.50">Fixed in
Apache Tomcat 8.5.50</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.49">Fixed
in Apache Tomcat 8.5.49</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.41">Fixed in Apache Tomcat
8.5.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.40">Fixed in Apache
Tomcat 8.5.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed in
Apache Tomcat 8.5.38</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.34">Fixed
in Apache Tomcat 8.5.34</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.53">Fixed in Apache Tomcat
8.0.53</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache
Tomcat 8.5.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.52">Fixed in
Apache Tomcat 8.0.52</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.31">Fixed
in Apache Tomcat 8.5.31</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.50">Fixed in Apache Tomcat 8.0.
50</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.28">Fixed in Apache Tomcat
8.5.28</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.48">Fixed in Apache
Tomcat 8.0.48</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.24">Fixed in
Apache Tomcat 8.5.24</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.47">Fixed
in Apache Tomcat 8.0.47</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.23">Fixed in Apache Tomcat
8.5.23</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.45">Fixed in Apache
Tomcat 8.0.45</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.16">Fixed in
Apache Tomcat 8.5.16</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.44">Fixed
in Apache Tomcat 8.0.44</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.15">Fixed in Apache Tomcat
8.5.15</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.43">Fixed in Apache
Tomcat 8.0.43</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.13">Fixed in
Apache Tomcat 8.5.13</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.42">Fixed
in Apache Tomcat 8.0.4
2</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.12">Fixed in Apache Tomcat
8.5.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.41">Fixed in Apache
Tomcat 8.0.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.11">Fixed in
Apache Tomcat 8.5.11</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.9">Fixed
in Apache Tomcat 8.5.9</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.39">Fixed in Apache Tomcat
8.0.39</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.8">Fixed in Apache
Tomcat 8.5.8</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37">Fixed in Apache Tomcat 8.5.5
and 8.0.37</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.3_and_8.0.36">Fixed
in Apache Tomcat 8.5.3 and 8.0.36</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.32">Fixed in Apache Tomcat
8.0.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.30">Fixed in Apache
Tomcat 8.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.27">Fixed in
Apache Tomcat 8.0.27</a></li><li><a href="#Fixed_in_Apache_Tomcat_8
.0.17">Fixed in Apache Tomcat 8.0.17</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.9">Fixed in Apache Tomcat
8.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.8">Fixed in Apache
Tomcat 8.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.5">Fixed in
Apache Tomcat 8.0.5</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.3">Fixed
in Apache Tomcat 8.0.3</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.0-RC10">Fixed in Apache Tomcat
8.0.0-RC10</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.0-RC3">Fixed in
Apache Tomcat 8.0.0-RC3</a></li><li><a
href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in
Tomcat</a></li></ul>
+<ul><li><a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.51">Fixed in
Apache Tomcat 8.5.51</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.50">Fixed
in Apache Tomcat 8.5.50</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.49">Fixed in Apache Tomcat
8.5.49</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.41">Fixed in Apache
Tomcat 8.5.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.40">Fixed in
Apache Tomcat 8.5.40</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed
in Apache Tomcat 8.5.38</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.34">Fixed in Apache Tomcat
8.5.34</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.53">Fixed in Apache
Tomcat 8.0.53</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in
Apache Tomcat 8.5.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.52">Fixed
in Apache Tomcat 8.0.52</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.31">Fixed in Apache Tomcat 8.5.
31</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.50">Fixed in Apache Tomcat
8.0.50</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.28">Fixed in Apache
Tomcat 8.5.28</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.48">Fixed in
Apache Tomcat 8.0.48</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.24">Fixed
in Apache Tomcat 8.5.24</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.47">Fixed in Apache Tomcat
8.0.47</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.23">Fixed in Apache
Tomcat 8.5.23</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.45">Fixed in
Apache Tomcat 8.0.45</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.16">Fixed
in Apache Tomcat 8.5.16</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.44">Fixed in Apache Tomcat
8.0.44</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.15">Fixed in Apache
Tomcat 8.5.15</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.43">Fixed in
Apache Tomcat 8.0.43</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.13">Fixed
in Apache Tomcat 8.5.1
3</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.42">Fixed in Apache Tomcat
8.0.42</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.12">Fixed in Apache
Tomcat 8.5.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.41">Fixed in
Apache Tomcat 8.0.41</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.11">Fixed
in Apache Tomcat 8.5.11</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.9">Fixed in Apache Tomcat
8.5.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.39">Fixed in Apache
Tomcat 8.0.39</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.8">Fixed in
Apache Tomcat 8.5.8</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37">Fixed in Apache Tomcat 8.5.5
and 8.0.37</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.5.3_and_8.0.36">Fixed
in Apache Tomcat 8.5.3 and 8.0.36</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.32">Fixed in Apache Tomcat
8.0.32</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.30">Fixed in Apache
Tomcat 8.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_8
.0.27">Fixed in Apache Tomcat 8.0.27</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.17">Fixed in Apache Tomcat
8.0.17</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.9">Fixed in Apache
Tomcat 8.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.8">Fixed in
Apache Tomcat 8.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.5">Fixed
in Apache Tomcat 8.0.5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_8.0.3">Fixed in Apache Tomcat
8.0.3</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.0-RC10">Fixed in Apache
Tomcat 8.0.0-RC10</a></li><li><a href="#Fixed_in_Apache_Tomcat_8.0.0-RC3">Fixed
in Apache Tomcat 8.0.0-RC3</a></li><li><a
href="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in
Tomcat</a></li></ul>
</div><h3 id="Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x
vulnerabilities</h3><div class="text">
<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 8.x. Each vulnerability is given a
@@ -39,6 +39,99 @@
<a href="security.html">Tomcat Security Team</a>. Thank you.
</p>
+ </div><h3 id="Fixed_in_Apache_Tomcat_8.5.51"><span class="pull-right">11
February 2020</span> Fixed in Apache Tomcat 8.5.51</h3><div class="text">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938";
rel="nofollow">CVE-2020-1938</a></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 8.5.51, Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 8.5.51 to harden the default
+ configuration. It is likely that users upgrading to 8.5.51 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <a href="https://github.com/apache/tomcat/commit/69c5608";>69c5608</a>,
+ <a href="https://github.com/apache/tomcat/commit/b962835";>b962835</a>,
+ <a href="https://github.com/apache/tomcat/commit/5a5494f";>5a5494f</a>,
+ <a href="https://github.com/apache/tomcat/commit/9be5760";>9be5760</a>,
+ <a href="https://github.com/apache/tomcat/commit/64159aa";>64159aa</a>
and
+ <a
href="https://github.com/apache/tomcat/commit/03c4361";>03c4361</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 8.5.0 to 8.5.50</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935";
rel="nofollow">CVE-2020-1935</a></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/8fbe2e9";>8fbe2e9</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 8.5.0 to 8.5.50</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569";
rel="nofollow">CVE-2019-17569</a></p>
+
+ <p>The refactoring in 8.5.48 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/959f1df";>959f1df</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 8.5.48 to 8.5.50</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_8.5.50"><span class="pull-right">12
December 2019</span> Fixed in Apache Tomcat 8.5.50</h3><div class="text">
<p><strong>Low: Session fixation</strong>
Modified: tomcat/site/trunk/docs/security-9.html
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Mon Feb 24 12:46:42 2020
@@ -2,7 +2,7 @@
<html lang="en"><head><META http-equiv="Content-Type" content="text/html;
charset=UTF-8"><meta name="viewport" content="width=device-width,
initial-scale=1"><link href="res/css/tomcat.css" rel="stylesheet"
type="text/css"><link href="res/css/fonts/fonts.css" rel="stylesheet"
type="text/css"><title>Apache Tomcat® - Apache Tomcat 9
vulnerabilities</title><meta name="author" content="Apache Tomcat
Project"></head><body><div id="wrapper"><header id="header"><div
class="clearfix"><div class="menu-toggler pull-left" tabindex="1"><div
class="hamburger"></div></div><a href="http://tomcat.apache.org/";><img
class="tomcat-logo pull-left noPrint" alt="Tomcat Home"
src="res/images/tomcat.png"></a><h1 class="pull-left">Apache
Tomcat<sup>®</sup></h1><div class="asf-logos pull-right"><a
href="https://www.apache.org/foundation/contributing.html"; target="_blank"
class="pull-left"><img
src="https://www.apache.org/images/SupportApache-small.png"; class="support-asf"
alt="Support Apache"></a><a h
ref="http://www.apache.org/"; target="_blank" class="pull-left"><img
src="res/images/asf_logo.svg" class="asf-logo" alt="The Apache Software
Foundation"></a></div></div></header><main id="middle"><div><div
id="mainLeft"><div id="nav-wrapper"><form
action="https://www.google.com/search"; method="get"><div
class="searchbox"><input value="tomcat.apache.org" name="sitesearch"
type="hidden"><input aria-label="Search text" placeholder="Search…"
required="required" name="q" id="query"
type="search"><button>GO</button></div></form><div class="asfevents"><a
href="https://www.apache.org/events/current-event.html";><img
src="https://www.apache.org/events/current-event-234x60.png"; alt="Next ASF
event"><br>
Save the date!
</a></div><nav><div><h2>Apache Tomcat</h2><ul><li><a
href="./index.html">Home</a></li><li><a
href="./taglibs.html">Taglibs</a></li><li><a href="./maven-plugin.html">Maven
Plugin</a></li></ul></div><div><h2>Download</h2><ul><li><a
href="./whichversion.html">Which version?</a></li><li><a
href="https://tomcat.apache.org/download-90.cgi";>Tomcat 9</a></li><li><a
href="https://tomcat.apache.org/download-80.cgi";>Tomcat 8</a></li><li><a
href="https://tomcat.apache.org/download-70.cgi";>Tomcat 7</a></li><li><a
href="https://tomcat.apache.org/download-connectors.cgi";>Tomcat
Connectors</a></li><li><a
href="https://tomcat.apache.org/download-native.cgi";>Tomcat
Native</a></li><li><a
href="https://tomcat.apache.org/download-taglibs.cgi";>Taglibs</a></li><li><a
href="https://archive.apache.org/dist/tomcat/";>Archives</a></li></ul></div><div><h2>Documentation</h2><ul><li><a
href="./tomcat-9.0-doc/index.html">Tomcat 9.0</a></li><li><a
href="./tomcat-8.5-doc/index.html">Tomcat 8.5</a></li><l
i><a href="./tomcat-7.0-doc/index.html">Tomcat 7.0</a></li><li><a
href="./connectors-doc/">Tomcat Connectors</a></li><li><a
href="./native-doc/">Tomcat Native</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT";>Wiki</a></li><li><a
href="./migration.html">Migration Guide</a></li><li><a
href="./presentations.html">Presentations</a></li></ul></div><div><h2>Problems?</h2><ul><li><a
href="./security.html">Security Reports</a></li><li><a
href="./findhelp.html">Find help</a></li><li><a
href="https://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQ</a></li><li><a
href="./lists.html">Mailing Lists</a></li><li><a href="./bugreport.html">Bug
Database</a></li><li><a href="./irc.html">IRC</a></li></ul></div><div><h2>Get
Involved</h2><ul><li><a href="./getinvolved.html">Overview</a></li><li><a
href="./source.html">Source code</a></li><li><a
href="./ci.html">Buildbot</a></li><li><a
href="https://cwiki.apache.org/confluence/x/vIPzBQ";>Translations</a></li><li><a
href="./tools
.html">Tools</a></li></ul></div><div><h2>Media</h2><ul><li><a
href="https://twitter.com/theapachetomcat";>Twitter</a></li><li><a
href="https://www.youtube.com/c/ApacheTomcatOfficial";>YouTube</a></li><li><a
href="https://blogs.apache.org/tomcat/";>Blog</a></li></ul></div><div><h2>Misc</h2><ul><li><a
href="./whoweare.html">Who We Are</a></li><li><a
href="https://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>Swag</a></li><li><a
href="./heritage.html">Heritage</a></li><li><a
href="http://www.apache.org";>Apache Home</a></li><li><a
href="./resources.html">Resources</a></li><li><a
href="./contact.html">Contact</a></li><li><a
href="./legal.html">Legal</a></li><li><a
href="https://www.apache.org/foundation/contributing.html";>Support
Apache</a></li><li><a
href="https://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li><li><a
href="http://www.apache.org/foundation/thanks.html";>Thanks</a></li><li><a
href="http://www.apache.org/licenses/";>License</a></li></ul></div></
nav></div></div><div id="mainRight"><div id="content"><h2 style="display:
none;">Content</h2><h3 id="Table_of_Contents">Table of Contents</h3><div
class="text">
-<ul><li><a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.30">Fixed in
Apache Tomcat 9.0.30</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.29">Fixed
in Apache Tomcat 9.0.29</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache Tomcat
9.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.19">Fixed in Apache
Tomcat 9.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed in
Apache Tomcat 9.0.16</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.12">Fixed
in Apache Tomcat 9.0.12</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.10">Fixed in Apache Tomcat
9.0.10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.9">Fixed in Apache
Tomcat 9.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.8">Fixed in
Apache Tomcat 9.0.8</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed
in Apache Tomcat 9.0.5</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat 9.0.2</a></
li><li><a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache Tomcat
9.0.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in Apache
Tomcat 9.0.0.M22</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M21">Fixed
in Apache Tomcat 9.0.0.M21</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M19">Fixed in Apache Tomcat
9.0.0.M19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M18">Fixed in
Apache Tomcat 9.0.0.M18</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M17">Fixed in Apache Tomcat
9.0.0.M17</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M15">Fixed in
Apache Tomcat 9.0.0.M15</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M13">Fixed in Apache Tomcat
9.0.0.M13</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M10">Fixed in
Apache Tomcat 9.0.0.M10</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M8">Fixed in Apache Tomcat
9.0.0.M8</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M3">Fixed in Apache
Tomcat 9.0.0.M3</a></li></ul>
+<ul><li><a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.31">Fixed in
Apache Tomcat 9.0.31</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.30">Fixed
in Apache Tomcat 9.0.30</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.29">Fixed in Apache Tomcat
9.0.29</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache
Tomcat 9.0.20</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.19">Fixed in
Apache Tomcat 9.0.19</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed
in Apache Tomcat 9.0.16</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.12">Fixed in Apache Tomcat
9.0.12</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.10">Fixed in Apache
Tomcat 9.0.10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.9">Fixed in
Apache Tomcat 9.0.9</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.8">Fixed
in Apache Tomcat 9.0.8</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.5">Fixed in Apache Tomcat 9.0.5</a>
</li><li><a href="#Fixed_in_Apache_Tomcat_9.0.2">Fixed in Apache Tomcat
9.0.2</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.1">Fixed in Apache
Tomcat 9.0.1</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M22">Fixed in
Apache Tomcat 9.0.0.M22</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M21">Fixed in Apache Tomcat
9.0.0.M21</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M19">Fixed in
Apache Tomcat 9.0.0.M19</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M18">Fixed in Apache Tomcat
9.0.0.M18</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M17">Fixed in
Apache Tomcat 9.0.0.M17</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M15">Fixed in Apache Tomcat
9.0.0.M15</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M13">Fixed in
Apache Tomcat 9.0.0.M13</a></li><li><a
href="#Fixed_in_Apache_Tomcat_9.0.0.M10">Fixed in Apache Tomcat
9.0.0.M10</a></li><li><a href="#Fixed_in_Apache_Tomcat_9.0.0.M8">Fixed in
Apache Tomcat 9.0.0.M8</a></li><li><a href="#Fixed_in_Apache_T
omcat_9.0.0.M3">Fixed in Apache Tomcat 9.0.0.M3</a></li></ul>
</div><h3 id="Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x
vulnerabilities</h3><div class="text">
<p>This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 9.x. Each vulnerability is given a
@@ -39,6 +39,98 @@
<a href="security.html">Tomcat Security Team</a>. Thank you.
</p>
+ </div><h3 id="Fixed_in_Apache_Tomcat_9.0.31"><span class="pull-right">11
February 2019</span> Fixed in Apache Tomcat 9.0.31</h3><div class="text">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938";
rel="nofollow">CVE-2020-1938</a></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 9.0.31, Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 9.0.31 to harden the default
+ configuration. It is likely that users upgrading to 9.0.31 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <a href="https://github.com/apache/tomcat/commit/0e8a50f";>0e8a50f</a>,
+ <a href="https://github.com/apache/tomcat/commit/9ac9053";>9ac9053</a>,
+ <a href="https://github.com/apache/tomcat/commit/64fa5b9";>64fa5b9</a>,
+ <a href="https://github.com/apache/tomcat/commit/7a1406a";>7a1406a</a>
and
+ <a
href="https://github.com/apache/tomcat/commit/49ad3f9";>49ad3f9</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.30</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935";
rel="nofollow">CVE-2020-1935</a></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/8bfb0ff";>8bfb0ff</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.30</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569";
rel="nofollow">CVE-2019-17569</a></p>
+
+ <p>The refactoring in 9.0.28 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <a
href="https://github.com/apache/tomcat/commit/060ecc5";>060ecc5</a>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 9.0.28 to 9.0.30</p>
+
</div><h3 id="Fixed_in_Apache_Tomcat_9.0.30"><span class="pull-right">12
December 2019</span> Fixed in Apache Tomcat 9.0.30</h3><div class="text">
<p><strong>Low: Session fixation</strong>
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Mon Feb 24 12:46:42 2020
@@ -50,6 +50,99 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.100" rtext="14 February 2020">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <cve>CVE-2020-1938</cve></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 7.0.100,
Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 7.0.100 to harden the default
+ configuration. It is likely that users upgrading to 7.0.100 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <hashlink hash="0d633e7">0d633e7</hashlink>,
+ <hashlink hash="40d5d93">40d5d93</hashlink>,
+ <hashlink hash="b99fba5">b99fba5</hashlink> and
+ <hashlink hash="f7180ba">f7180ba</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 7.0.0 to 7.0.99</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2020-1935</cve></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="702bf15">702bf15</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 7.0.0 to 7.0.99</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2019-17569</cve></p>
+
+ <p>The refactoring in 7.0.98 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="b191a0d">b191a0d</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 7.0.98 to 7.0.99</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.99" rtext="17 December 2019">
<p><strong>Low: Session fixation</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Mon Feb 24 12:46:42 2020
@@ -50,6 +50,101 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.5.51" rtext="11 February 2020">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <cve>CVE-2020-1938</cve></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 8.5.51, Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 8.5.51 to harden the default
+ configuration. It is likely that users upgrading to 8.5.51 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <hashlink hash="69c5608">69c5608</hashlink>,
+ <hashlink hash="b962835">b962835</hashlink>,
+ <hashlink hash="5a5494f">5a5494f</hashlink>,
+ <hashlink hash="9be5760">9be5760</hashlink>,
+ <hashlink hash="64159aa">64159aa</hashlink> and
+ <hashlink hash="03c4361">03c4361</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 8.5.0 to 8.5.50</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2020-1935</cve></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="8fbe2e9">8fbe2e9</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 8.5.0 to 8.5.50</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2019-17569</cve></p>
+
+ <p>The refactoring in 8.5.48 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="959f1df">959f1df</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 8.5.48 to 8.5.50</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.5.50" rtext="12 December 2019">
<p><strong>Low: Session fixation</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL:
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1874444&r1=1874443&r2=1874444&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Mon Feb 24 12:46:42 2020
@@ -50,6 +50,100 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.31" rtext="11 February 2019">
+
+ <p><strong>High: AJP Request Injection and potential Remote Code
Execution</strong>
+ <cve>CVE-2020-1938</cve></p>
+
+ <p>When using the Apache JServ Protocol (AJP), care must be taken when
+ trusting incoming connections to Apache Tomcat. Tomcat treats AJP
+ connections as having higher trust than, for example, a similar HTTP
+ connection. If such connections are available to an attacker, they can
be
+ exploited in ways that may be surprising. Prior to Tomcat 9.0.31, Tomcat
+ shipped with an AJP Connector enabled by default that listened on all
+ configured IP addresses. It was expected (and recommended in the
security
+ guide) that this Connector would be disabled if not required.</p>
+ <p>Prior to this vulnerability report, the known risks of an attacker being
+ able to access the AJP port directly were:</p>
+ <ul>
+ <li>bypassing security checks based on client IP address</li>
+ <li>bypassing user authentication if Tomcat was configured to trust
+ authentication data provided by the reverse proxy</li>
+ </ul>
+ <p>This vulnerability report identified a mechanism that allowed the
+ following:</p>
+ <ul>
+ <li>returning arbitrary files from anywhere in the web application
+ including under the WEB-INF and META-INF directories or any other
+ location reachable via ServletContext.getResourceAsStream()</li>
+ <li>processing any file in the web application as a JSP</li>
+ </ul>
+ <p>Further, if the web application allowed file upload and stored those
+ files within the web application (or the attacker was able to control
+ the content of the web application by some other means) then this, along
+ with the ability to process a file as a JSP, made remote code execution
+ possible.</p>
+ <p>It is important to note that mitigation is only required if an AJP port
+ is accessible to untrusted users. Users wishing to take a
+ defence-in-depth approach and block the vector that permits returning
+ arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31
+ or later. Users should note that a number of changes were made to the
+ default AJP Connector configuration in 9.0.31 to harden the default
+ configuration. It is likely that users upgrading to 9.0.31 or later
+ will need to make small changes to their configurations as a result.</p>
+
+ <p>This was fixed with commits
+ <hashlink hash="0e8a50f">0e8a50f</hashlink>,
+ <hashlink hash="9ac9053">9ac9053</hashlink>,
+ <hashlink hash="64fa5b9">64fa5b9</hashlink>,
+ <hashlink hash="7a1406a">7a1406a</hashlink> and
+ <hashlink hash="49ad3f9">49ad3f9</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team on 3 January
+ 2020. The issue was made public on 24 February 2020.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.30</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2020-1935</cve></p>
+
+ <p>The HTTP header parsing code used an approach to end-of-line (EOL)
+ parsing that allowed some invalid HTTP headers to be parsed as valid. This
+ led to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="8bfb0ff">8bfb0ff</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 25 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.30</p>
+
+ <p><strong>Low: HTTP Request Smuggling</strong>
+ <cve>CVE-2019-17569</cve></p>
+
+ <p>The refactoring in 9.0.28 introduced a regression. The result of the
+ regression was that invalid Transfer-Encoding headers were incorrectly
+ processed leading to a possibility of HTTP Request Smuggling if Tomcat was
+ located behind a reverse proxy that incorrectly handled the invalid
+ Transfer-Encoding header in a particular manner. Such a reverse proxy is
+ considered unlikely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="060ecc5">060ecc5</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by @ZeddYu
+ on 12 December 2019. The issue was made public on 24
+ February 2020.</p>
+
+ <p>Affects: 9.0.28 to 9.0.30</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.30" rtext="12 December 2019">
<p><strong>Low: Session fixation</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
![https://www.apache.org/images/SupportApache-small.png"](https://www.apache.org/images/SupportApache-small.png"){kind=link}
![https://www.apache.org/events/current-event-234x60.png"](https://www.apache.org/events/current-event-234x60.png"){kind=link}