SB20240312180 - openEuler update for tomcat
Published: March 12, 2024 Updated: May 23, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-24998)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.
2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2023-28709)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an incomplete fox for #VU72427 (CVE-2023-24998). If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.3) Resource management error (CVE-ID: CVE-2023-42795)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper management of internal resources within the application when recycling various internal objects. A remote attacker can force Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
Remediation
Install update from vendor's website.