1. Ubuntu Security Notices
  2. USN-7106-1

USN-7106-1: Tomcat vulnerabilities

Publication date

13 November 2024

Overview

Several security issues were fixed in Tomcat.

Releases

Packages

Details

It was discovered that Tomcat did not include the secure attribute for
session cookies when using the RemoteIpFilter with requests from a
reverse proxy. An attacker could possibly use this issue to leak
sensitive information. (CVE-2023-28708)

It was discovered that Tomcat had a vulnerability in its FORM
authentication feature, leading to an open redirect attack. An attacker
could possibly use this issue to perform phishing attacks. (CVE-2023-41080)

It was discovered that Tomcat incorrectly recycled certain objects,
which could lead to information leaking from one request to the next.
An attacker could potentially use this issue to leak sensitive
information. (CVE-2023-42795)

It was discovered that Tomcat incorrectly handled HTTP trailer headers. A
remote attacker could possibly use this issue to perform HTTP...

It was discovered that Tomcat did not include the secure attribute for
session cookies when using the RemoteIpFilter with requests from a
reverse proxy. An attacker could possibly use this issue to leak
sensitive information. (CVE-2023-28708)

It was discovered that Tomcat had a vulnerability in its FORM
authentication feature, leading to an open redirect attack. An attacker
could possibly use this issue to perform phishing attacks. (CVE-2023-41080)

It was discovered that Tomcat incorrectly recycled certain objects,
which could lead to information leaking from one request to the next.
An attacker could potentially use this issue to leak sensitive
information. (CVE-2023-42795)

It was discovered that Tomcat incorrectly handled HTTP trailer headers. A
remote attacker could possibly use this issue to perform HTTP request
smuggling. (CVE-2023-45648)

It was discovered that Tomcat incorrectly handled socket cleanup, which
could lead to websocket connections staying open. An attacker could
possibly use this issue to cause a denial of service. (CVE-2024-23672)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
22.04 jammy libtomcat9-java –  9.0.58-1ubuntu0.1+esm4  
tomcat9 –  9.0.58-1ubuntu0.1+esm4  
20.04 focal libtomcat9-java –  9.0.31-1ubuntu0.8
tomcat9 –  9.0.31-1ubuntu0.8
18.04 bionic libtomcat9-java –  9.0.16-3ubuntu0.18.04.2+esm4  
tomcat9 –  9.0.16-3ubuntu0.18.04.2+esm4  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

Have additional questions?

Talk to a member of the team ›