SB2021031719 - Red Hat Enterprise Linux 7.6 update for tomcat
Published: March 17, 2021
Security Bulletin ID
SB2021031719
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Session Fixation (CVE-ID: CVE-2019-17563)
The vulnerability allows a remote attacker to perform a session fixation attack.
The vulnerability exists due to a race condition when FORM authentication is used in Apache Tomcat. A remote attacker can use a narrow window to perform a session fixation attack.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2020-1935)
The vulnerability allows a remote attacker to perform HTTP request smuggling attack.
The vulnerability exists due to the HTTP header parsing code uses an approach to end-of-line parsing that allows some invalid HTTP headers to be parsed as valid. A remote attacker can send a specially crafted HTTP request and perform HTTP request smuggling attack.Remediation
Install update from vendor's website.