SB20260422214 - Anolis OS update for tomcat

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-24880)

The vulnerability allows a remote attacker to perform request smuggling.

The vulnerability exists due to improper input validation in HTTP/1.1 chunk extension handling when parsing chunked requests. A remote attacker can send a specially crafted request with an invalid chunk extension to perform request smuggling.

Exploitation requires a reverse proxy in front of Tomcat that allows CRLF sequences in an otherwise valid chunk extension.

2) Configuration (CVE-ID: CVE-2026-29129)

The vulnerability allows a remote attacker to cause the server to use TLS cipher suites in an unintended order.

The vulnerability exists due to improper configuration handling in TLS 1.3 cipher suite configuration when negotiating TLS connections. A remote attacker can initiate a TLS connection to cause the server to use TLS cipher suites in an unintended order.

3) Improper Certificate Validation (CVE-ID: CVE-2026-29145)

The vulnerability allows a remote user to bypass certificate revocation checks during authentication.

The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks in some scenarios with soft fail disabled. A remote user can present a certificate in affected scenarios to bypass certificate revocation checks during authentication.

Only some scenarios are affected when soft fail is disabled.

4) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-29146)

The vulnerability allows a remote attacker to decrypt protected communications.

The vulnerability exists due to the use of a padding-oracle-prone cryptographic mode in EncryptInterceptor when processing encrypted traffic with the default CBC configuration. A remote attacker can perform a padding oracle attack to decrypt protected communications.

5) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34483)

The vulnerability allows a remote attacker to inject arbitrary JSON into the JSON access log.

The vulnerability exists due to incomplete escaping in the JSON access log when handling requests with non-default Connector attributes relaxedPathChars and/or relaxedQueryChars. A remote attacker can send a specially crafted request to inject arbitrary JSON into the JSON access log.

Only configurations using non-default values for relaxedPathChars and/or relaxedQueryChars are affected.

6) Protection Mechanism Failure (CVE-ID: CVE-2026-34486)

The vulnerability allows a remote attacker to bypass the EncryptInterceptor.

The vulnerability exists due to an implementation error in the EncryptInterceptor when processing traffic protected by the fix for #VU125739 (CVE-2026-29146). A remote attacker can exploit the flawed handling to bypass the EncryptInterceptor.

7) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-34487)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log output in the cloud membership for clustering component when writing log messages. A remote attacker can trigger log entries that expose the Kubernetes bearer token to disclose sensitive information.

8) Improper Certificate Validation (CVE-ID: CVE-2026-34500)

The vulnerability allows a remote user to bypass client certificate authentication.

The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks with FFM and soft-fail disabled. A remote user can present a certificate in affected scenarios to bypass client certificate authentication.

Only some scenarios using FFM are affected.

Remediation

Install update from vendor's website.

References

• https://anas.openanolis.cn/errata/detail/ANSA-2026:0501