Your submission was sent successfully! Close

USN-5360-1: Tomcat vulnerabilities

31 March 2022

Several security issues were fixed in Tomcat.

Releases

Packages

  • tomcat9 - Apache Tomcat 9 - Servlet and JSP engine

Details

It was discovered that Tomcat incorrectly performed input verification.
A remote attacker could possibly use this issue to intercept sensitive
information. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)

It was discovered that Tomcat did not properly deserialize untrusted data.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-9484, CVE-2021-33037)

It was discovered that Tomcat did not properly validate the input length. An
attacker could possibly use this to trigger an infinite loop, resulting in a
denial of service. (CVE-2020-9494, CVE-2021-25329, CVE-2021-41079)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 20.04
Ubuntu 18.04

In general, a standard system update will make all the necessary changes.

Related notices

  • USN-4448-1: tomcat8-docs, libtomcat8-java, libservlet3.1-java-doc, tomcat8-user, tomcat8-admin, tomcat8-examples, libservlet3.1-java, tomcat8-common, tomcat8
  • USN-4596-1: tomcat9-common, libtomcat9-java, libtomcat9-embed-java, tomcat9-docs, tomcat9-admin, tomcat9, tomcat9-user, tomcat9-examples