269652 – www/tomcat{85,9,101,-devel}: Update to 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5 (CVE-2023-24998 FileUpload DoS with excessive parts)

Bug 269652 - www/tomcat{85,9,101,-devel}: Update to 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5 (CVE-2023-24998 FileUpload DoS with excessive parts)

Summary: www/tomcat{85,9,101,-devel}: Update to 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5 (CVE...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	Normal Affects Many People
Assignee:	Vladimir Druzenko

URL:	https://tomcat.apache.org/
Keywords:	security

Depends on:
Blocks:

Reported:	2023-02-18 13:38 UTC by Vladimir Druzenko
Modified:	2023-05-02 11:56 UTC (History)
CC List:	6 users (show)

See Also:

Flags:	vvd: maintainer-feedback+ fluffy: maintainer-feedback+ fluffy: merge-quarterly+

Attachments
updated to 8.5.85 (814 bytes, patch) 2023-02-18 13:38 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
updated to 9.0.71 (805 bytes, patch) 2023-02-18 13:39 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.1.5 (1.17 KB, patch) 2023-02-18 13:40 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
updated to 9.0.72 (1.90 KB, patch) 2023-02-23 15:02 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 11.0.0-M3 (2.90 KB, patch) 2023-02-23 15:04 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 8.5.86 (1.92 KB, patch) 2023-02-24 17:46 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.1.6 (2.11 KB, patch) 2023-02-24 17:54 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 11.0.0-M3 and "JAVA_VERSION=17+" (3.05 KB, patch) 2023-02-24 18:05 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 8.5.87 (1.92 KB, patch) 2023-03-17 11:48 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.1.7 (1.90 KB, patch) 2023-03-17 11:49 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
updated to 9.0.73 (1.90 KB, patch) 2023-03-17 11:51 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 10.1.7 (2.11 KB, patch) 2023-03-17 11:51 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
update to 11.0.0-M4 (3.05 KB, patch) 2023-03-17 11:52 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
Update to 11.0.0-M5 (3.05 KB, patch) 2023-04-19 10:22 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
Updated to 9.0.74 (2.05 KB, patch) 2023-04-19 10:23 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
Update to 8.5.88 (1.92 KB, patch) 2023-04-20 20:36 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
Update to 10.1.8 (2.11 KB, patch) 2023-04-20 20:37 UTC, Vladimir Druzenko	vvd: maintainer-approval+	Details \| Diff
Show Obsolete (13) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Druzenko freebsd_committer

2023-02-18 13:38:24 UTC

Created attachment 240234 [details]
updated to 8.5.85

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.85_(schultz)

Comment 1 Vladimir Druzenko freebsd_committer

2023-02-18 13:39:41 UTC

Created attachment 240235 [details]
updated to 9.0.71

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.71_(remm)

Comment 2 Vladimir Druzenko freebsd_committer

2023-02-18 13:40:58 UTC

Created attachment 240236 [details]
update to 10.1.5

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.5_(markt)

Comment 3 Graham Perrin freebsd_committer

2023-02-18 18:19:36 UTC

Triage: severity reduced to the norm for an update to a port.

Comment 4 Michael Osipov 2023-02-22 11:12:58 UTC

(In reply to Graham Perrin from comment #3)

Not quite, these releases fix a CVE in Commons Fileupload.

Comment 5 Vladimir Druzenko freebsd_committer

2023-02-22 12:25:19 UTC

CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84

Description:
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released

Credit:
This issue was identified by Jakob Ackermann

History:
2023-01-03 Original advisory
2023-01-03 Corrected credit

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-11.html

Comment 6 Vladimir Druzenko freebsd_committer

2023-02-23 15:02:53 UTC

Created attachment 240346 [details]
updated to 9.0.72

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.72_(remm)

Comment 7 Vladimir Druzenko freebsd_committer

2023-02-23 15:04:03 UTC

Created attachment 240347 [details]
update to 11.0.0-M3

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.0-M3_(markt)

Comment 8 Dima Panov freebsd_committer

2023-02-23 22:51:04 UTC

Submitter is committer now, assign

MFH to Q1 is possible

Dima, on behalf of ports-secteam

Comment 9 Vladimir Druzenko freebsd_committer

2023-02-23 23:10:35 UTC

(In reply to Dima Panov from comment #8)
> Submitter is committer now, assign
Yes, but I still stuck on "Steps for New Committers" (https://docs.freebsd.org/en/articles/committers-guide/#conventions)… :-o

Comment 10 Graham Perrin freebsd_committer

2023-02-24 06:08:32 UTC

(In reply to Dima Panov from comment #8)

> Flags: merge-quarterly+

This signifies that a merge from main to quarterly has occurred (two commits), I see no commit …

Comment 11 Vladimir Druzenko freebsd_committer

2023-02-24 17:46:00 UTC

Created attachment 240384 [details]
update to 8.5.86

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.86_(schultz)

Comment 12 Vladimir Druzenko freebsd_committer

2023-02-24 17:54:37 UTC

Created attachment 240387 [details]
update to 10.1.6

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.6_(markt)

Comment 13 Vladimir Druzenko freebsd_committer

2023-02-24 18:05:55 UTC

Created attachment 240388 [details]
update to 11.0.0-M3 and "JAVA_VERSION=17+"

Tested on 13.1-p7 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.0-M3_(markt)

Comment 14 Vladimir Druzenko freebsd_committer

2023-02-24 18:07:37 UTC

(In reply to VVD from comment #12)
https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.6_(schultz)

Comment 15 Michael Osipov 2023-03-17 08:54:38 UTC

Meanwhile this was open next versions have been released:
https://www.mail-archive.com/users@tomcat.apache.org/msg141010.html

Comment 16 Vladimir Druzenko freebsd_committer

2023-03-17 11:47:49 UTC

(In reply to Michael Osipov from comment #15)
I know.
I have all patches for 2 weeks already.
But I got ports commit bit, but can't find time to make "1st steps"…

Comment 17 Vladimir Druzenko freebsd_committer

2023-03-17 11:48:37 UTC

Created attachment 240919 [details]
update to 8.5.87

Comment 18 Vladimir Druzenko freebsd_committer

2023-03-17 11:49:01 UTC

Created attachment 240920 [details]
update to 10.1.7

Comment 19 Vladimir Druzenko freebsd_committer

2023-03-17 11:51:02 UTC

Created attachment 240921 [details]
updated to 9.0.73

Comment 20 Vladimir Druzenko freebsd_committer

2023-03-17 11:51:33 UTC

Created attachment 240922 [details]
update to 10.1.7

Comment 21 Vladimir Druzenko freebsd_committer

2023-03-17 11:52:08 UTC

Created attachment 240923 [details]
update to 11.0.0-M4

Comment 22 Lapo Luchini 2023-04-12 09:32:47 UTC

There's also CVE-2023-28708:

"When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel."

Comment 23 Vladimir Druzenko freebsd_committer

2023-04-19 10:22:43 UTC

Created attachment 241579 [details]
Update to 11.0.0-M5

Comment 24 Vladimir Druzenko freebsd_committer

2023-04-19 10:23:43 UTC

Created attachment 241580 [details]
Updated to 9.0.74

Comment 25 Vladimir Druzenko freebsd_committer

2023-04-20 20:36:43 UTC

Created attachment 241622 [details]
Update to 8.5.88

Comment 26 Vladimir Druzenko freebsd_committer

2023-04-20 20:37:28 UTC

Created attachment 241624 [details]
Update to 10.1.8

Comment 27 Gleb Popov freebsd_committer

2023-05-01 07:31:20 UTC

With mentor's hat: LGTM.

Comment 28 commit-hook freebsd_committer

2023-05-01 12:38:24 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0932776313063a4af1dc76e54b9cb6da9bedc954

commit 0932776313063a4af1dc76e54b9cb6da9bedc954
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2023-05-01 12:26:29 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2023-05-01 12:36:58 +0000

    www/tomcat{85,9,101,-devel}: Update to 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5

    CVE-2023-24998 FileUpload DoS with excessive parts
    ChangeLog:
    https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.88_(schultz)
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.74_(remm)
    https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.8_(schultz)
    https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.0-M5_(markt)

    PR: 269652
    Reported by: Vladimir Druzenko <vvd@FreeBSD.org>
    Approved by: arrowd (mentor)

 www/tomcat-devel/Makefile  |  4 ++--
 www/tomcat-devel/distinfo  |  6 +++---
 www/tomcat-devel/pkg-plist | 10 ++++++----
 www/tomcat101/Makefile     |  2 +-
 www/tomcat101/distinfo     |  6 +++---
 www/tomcat101/pkg-plist    |  6 +++++-
 www/tomcat85/Makefile      |  2 +-
 www/tomcat85/distinfo      |  6 +++---
 www/tomcat85/pkg-plist     |  4 ++++
 www/tomcat9/Makefile       |  2 +-
 www/tomcat9/distinfo       |  6 +++---
 www/tomcat9/pkg-plist      |  4 ++++
 12 files changed, 36 insertions(+), 22 deletions(-)

Comment 29 commit-hook freebsd_committer

2023-05-02 11:40:00 UTC

A commit in branch 2023Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=fb1d87b6ba281eab5db043ccee0165b1f0c4fe75

commit fb1d87b6ba281eab5db043ccee0165b1f0c4fe75
Author:     Vladimir Druzenko <vvd@FreeBSD.org>
AuthorDate: 2023-05-01 12:26:29 +0000
Commit:     Vladimir Druzenko <vvd@FreeBSD.org>
CommitDate: 2023-05-02 11:38:52 +0000

    www/tomcat{85,9,101,-devel}: Update to 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5

    CVE-2023-24998 FileUpload DoS with excessive parts
    ChangeLog:
    https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.88_(schultz)
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.74_(remm)
    https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.8_(schultz)
    https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.0-M5_(markt)

    PR: 269652
    Reported by: Vladimir Druzenko <vvd@FreeBSD.org>
    Approved by: arrowd (mentor)

    (cherry picked from commit 0932776313063a4af1dc76e54b9cb6da9bedc954)

 www/tomcat-devel/Makefile  |  4 ++--
 www/tomcat-devel/distinfo  |  6 +++---
 www/tomcat-devel/pkg-plist | 10 ++++++----
 www/tomcat101/Makefile     |  2 +-
 www/tomcat101/distinfo     |  6 +++---
 www/tomcat101/pkg-plist    |  6 +++++-
 www/tomcat85/Makefile      |  2 +-
 www/tomcat85/distinfo      |  6 +++---
 www/tomcat85/pkg-plist     |  4 ++++
 www/tomcat9/Makefile       |  2 +-
 www/tomcat9/distinfo       |  6 +++---
 www/tomcat9/pkg-plist      |  4 ++++
 12 files changed, 36 insertions(+), 22 deletions(-)