[Git][java-team/tomcat9][bullseye] 4 commits: Fix CVE-2021-43980, CVE-2022-23181 and CVE-2022-29885
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Oct 29 17:36:10 BST 2022
Markus Koschany pushed to branch bullseye at Debian Java Maintainers / tomcat9
Commits:
5cbf1860 by Markus Koschany at 2022-10-29T16:43:29+02:00
Fix CVE-2021-43980, CVE-2022-23181 and CVE-2022-29885
- - - - -
df269c31 by Markus Koschany at 2022-10-29T17:00:14+02:00
Remove CVE-2021-43980.patch
- - - - -
e4868914 by Markus Koschany at 2022-10-29T17:03:20+02:00
Rebase CVE-2021-43980.patch
- - - - -
3b0f9f43 by Markus Koschany at 2022-10-29T17:04:24+02:00
Update changelog
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/CVE-2021-43980.patch
- + debian/patches/CVE-2022-23181.patch
- + debian/patches/CVE-2022-29885.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,27 @@
+tomcat9 (9.0.43-2~deb11u4) bullseye-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2021-43980:
+ The simplified implementation of blocking reads and writes introduced in
+ Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing
+ (but extremely hard to trigger) concurrency bug that could cause client
+ connections to share an Http11Processor instance resulting in responses, or
+ part responses, to be received by the wrong client.
+ * Fix CVE-2022-23181:
+ The fix for bug CVE-2020-9484 introduced a time of check, time of use
+ vulnerability into Apache Tomcat that allowed a local attacker to perform
+ actions with the privileges of the user that the Tomcat process is using.
+ This issue is only exploitable when Tomcat is configured to persist sessions
+ using the FileStore.
+ * Fix CVE-2022-29885:
+ The documentation of Apache Tomcat for the EncryptInterceptor incorrectly
+ stated it enabled Tomcat clustering to run over an untrusted network. This
+ was not correct. While the EncryptInterceptor does provide confidentiality
+ and integrity protection, it does not protect against all risks associated
+ with running over any untrusted network, particularly DoS risks.
+
+ -- Markus Koschany <apo at debian.org> Sat, 29 Oct 2022 17:03:57 +0200
+
tomcat9 (9.0.43-2~deb11u3) bullseye-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2021-43980.patch
=====================================
@@ -0,0 +1,164 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 29 Oct 2022 17:01:16 +0200
+Subject: CVE-2021-43980
+
+Origin: https://github.com/apache/tomcat/commit/170e0f792bd18ff031677890ba2fe50eb7a376c1
+---
+ java/org/apache/coyote/AbstractProtocol.java | 32 ++++++++++++----------
+ .../apache/tomcat/util/net/SocketWrapperBase.java | 17 ++++++++----
+ 2 files changed, 29 insertions(+), 20 deletions(-)
+
+diff --git a/java/org/apache/coyote/AbstractProtocol.java b/java/org/apache/coyote/AbstractProtocol.java
+index 227f9c1..62e837c 100644
+--- a/java/org/apache/coyote/AbstractProtocol.java
++++ b/java/org/apache/coyote/AbstractProtocol.java
+@@ -794,7 +794,11 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+
+ S socket = wrapper.getSocket();
+
+- Processor processor = (Processor) wrapper.getCurrentProcessor();
++ // We take complete ownership of the Processor inside of this method to ensure
++ // no other thread can release it while we're using it. Whatever processor is
++ // held by this variable will be associated with the SocketWrapper before this
++ // method returns.
++ Processor processor = (Processor) wrapper.takeCurrentProcessor();
+ if (getLog().isDebugEnabled()) {
+ getLog().debug(sm.getString("abstractConnectionHandler.connectionsGet",
+ processor, socket));
+@@ -879,9 +883,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ processor.setSslSupport(
+ wrapper.getSslSupport(getProtocol().getClientCertProvider()));
+
+- // Associate the processor with the connection
+- wrapper.setCurrentProcessor(processor);
+-
+ SocketState state = SocketState.CLOSED;
+ do {
+ state = processor.process(wrapper, status);
+@@ -901,8 +902,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ release(processor);
+ // Create the upgrade processor
+ processor = upgradeProtocol.getProcessor(wrapper, getProtocol().getAdapter());
+- // Associate with the processor with the connection
+- wrapper.setCurrentProcessor(processor);
+ } else {
+ if (getLog().isDebugEnabled()) {
+ getLog().debug(sm.getString(
+@@ -922,8 +921,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ getLog().debug(sm.getString("abstractConnectionHandler.upgradeCreate",
+ processor, wrapper));
+ }
+- // Associate with the processor with the connection
+- wrapper.setCurrentProcessor(processor);
+ // Initialise the upgrade handler (which may trigger
+ // some IO using the new protocol which is why the lines
+ // above are necessary)
+@@ -961,8 +958,8 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ } else if (state == SocketState.OPEN) {
+ // In keep-alive but between requests. OK to recycle
+ // processor. Continue to poll for the next request.
+- wrapper.setCurrentProcessor(null);
+ release(processor);
++ processor = null;
+ wrapper.registerReadInterest();
+ } else if (state == SocketState.SENDFILE) {
+ // Sendfile in progress. If it fails, the socket will be
+@@ -987,8 +984,7 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ // Connection closed. OK to recycle the processor.
+ // Processors handling upgrades require additional clean-up
+ // before release.
+- wrapper.setCurrentProcessor(null);
+- if (processor.isUpgrade()) {
++ if (processor != null && processor.isUpgrade()) {
+ UpgradeToken upgradeToken = processor.getUpgradeToken();
+ HttpUpgradeHandler httpUpgradeHandler = upgradeToken.getHttpUpgradeHandler();
+ InstanceManager instanceManager = upgradeToken.getInstanceManager();
+@@ -1009,7 +1005,13 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ }
+ }
+ }
++
+ release(processor);
++ processor = null;
++ }
++
++ if (processor != null) {
++ wrapper.setCurrentProcessor(processor);
+ }
+ return state;
+ } catch(java.net.SocketException e) {
+@@ -1047,7 +1049,6 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+
+ // Make sure socket/processor is removed from the list of current
+ // connections
+- wrapper.setCurrentProcessor(null);
+ release(processor);
+ return SocketState.CLOSED;
+ }
+@@ -1081,7 +1082,9 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+
+ /**
+ * Expected to be used by the handler once the processor is no longer
+- * required.
++ * required. Care must be taken to ensure that this method is only
++ * called once per processor, after the request processing has
++ * completed.
+ *
+ * @param processor Processor being released (that was associated with
+ * the socket)
+@@ -1119,8 +1122,7 @@ public abstract class AbstractProtocol<S> implements ProtocolHandler,
+ */
+ @Override
+ public void release(SocketWrapperBase<S> socketWrapper) {
+- Processor processor = (Processor) socketWrapper.getCurrentProcessor();
+- socketWrapper.setCurrentProcessor(null);
++ Processor processor = (Processor) socketWrapper.takeCurrentProcessor();
+ release(processor);
+ }
+
+diff --git a/java/org/apache/tomcat/util/net/SocketWrapperBase.java b/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+index 7f8020c..9376e53 100644
+--- a/java/org/apache/tomcat/util/net/SocketWrapperBase.java
++++ b/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+@@ -29,6 +29,7 @@ import java.util.concurrent.RejectedExecutionException;
+ import java.util.concurrent.Semaphore;
+ import java.util.concurrent.TimeUnit;
+ import java.util.concurrent.atomic.AtomicBoolean;
++import java.util.concurrent.atomic.AtomicReference;
+
+ import org.apache.juli.logging.Log;
+ import org.apache.juli.logging.LogFactory;
+@@ -104,10 +105,12 @@ public abstract class SocketWrapperBase<E> {
+ protected volatile OperationState<?> writeOperation = null;
+
+ /**
+- * The org.apache.coyote.Processor instance currently associated
+- * with the wrapper.
++ * The org.apache.coyote.Processor instance currently associated with the
++ * wrapper. Only populated when required to maintain wrapper<->Processor
++ * mapping between calls to
++ * {@link AbstractEndpoint.Handler#process(SocketWrapperBase, SocketEvent)}.
+ */
+- protected Object currentProcessor = null;
++ private final AtomicReference<Object> currentProcessor = new AtomicReference<>();
+
+ public SocketWrapperBase(E socket, AbstractEndpoint<E,?> endpoint) {
+ this.socket = socket;
+@@ -134,11 +137,15 @@ public abstract class SocketWrapperBase<E> {
+ }
+
+ public Object getCurrentProcessor() {
+- return currentProcessor;
++ return currentProcessor.get();
+ }
+
+ public void setCurrentProcessor(Object currentProcessor) {
+- this.currentProcessor = currentProcessor;
++ this.currentProcessor.set(currentProcessor);
++ }
++
++ public Object takeCurrentProcessor() {
++ return currentProcessor.getAndSet(null);
+ }
+
+ /**
=====================================
debian/patches/CVE-2022-23181.patch
=====================================
@@ -0,0 +1,30 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 25 Oct 2022 17:35:53 +0200
+Subject: CVE-2022-23181
+
+Origin: https://github.com/apache/tomcat/commit/1385c624b4a1e994426e810075c850edc38a700e
+---
+ java/org/apache/catalina/session/FileStore.java | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
+index e461f21..f7c6cc7 100644
+--- a/java/org/apache/catalina/session/FileStore.java
++++ b/java/org/apache/catalina/session/FileStore.java
+@@ -349,13 +349,14 @@ public final class FileStore extends StoreBase {
+
+ String filename = id + FILE_EXT;
+ File file = new File(storageDir, filename);
++ File canonicalFile = file.getCanonicalFile();
+
+ // Check the file is within the storage directory
+- if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
++ if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+ return null;
+ }
+
+- return file;
++ return canonicalFile;
+ }
+ }
=====================================
debian/patches/CVE-2022-29885.patch
=====================================
@@ -0,0 +1,72 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 25 Oct 2022 17:36:52 +0200
+Subject: CVE-2022-29885
+
+Origin: https://github.com/apache/tomcat/commit/eaafd28296c54d983e28a47953c1f5cb2c334f48
+---
+ webapps/docs/cluster-howto.xml | 6 +++++-
+ webapps/docs/config/cluster.xml | 6 +++++-
+ webapps/docs/security-howto.xml | 8 +++++---
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/webapps/docs/cluster-howto.xml b/webapps/docs/cluster-howto.xml
+index cfbfc2f..2a9244d 100644
+--- a/webapps/docs/cluster-howto.xml
++++ b/webapps/docs/cluster-howto.xml
+@@ -127,9 +127,13 @@ Tomcat cluster. These include:</p>
+ <li>private LAN</li>
+ <li>a Virtual Private Network (VPN)</li>
+ <li>IPSEC</li>
+- <li>Encrypt cluster traffic using the <a href="config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes">EncryptInterceptor</a></li>
+ </ul>
+
++<p>The <a href="cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes">EncryptInterceptor</a>
++provides confidentiality and integrity protection but it does not protect
++against all risks associated with running a Tomcat cluster on an untrusted
++network, particularly DoS attacks.</p>
++
+ </section>
+
+ <section name="Cluster Basics">
+diff --git a/webapps/docs/config/cluster.xml b/webapps/docs/config/cluster.xml
+index 91e8328..dc747f2 100644
+--- a/webapps/docs/config/cluster.xml
++++ b/webapps/docs/config/cluster.xml
+@@ -52,12 +52,16 @@ to run a cluster on a insecure, untrusted network.</p>
+ <p>There are many options for providing a secure, trusted network for use by a
+ Tomcat cluster. These include:</p>
+ <ul>
+- <li><a href="cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes">EncryptInterceptor</a></li>
+ <li>private LAN</li>
+ <li>a Virtual Private Network (VPN)</li>
+ <li>IPSEC</li>
+ </ul>
+
++<p>The <a href="cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes">EncryptInterceptor</a>
++provides confidentiality and integrity protection but it does not protect
++against all risks associated with running a Tomcat cluster on an untrusted
++network, particularly DoS attacks.</p>
++
+ </section>
+ <section name="Engine vs Host placement">
+ <p>
+diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
+index 3396e36..3486539 100644
+--- a/webapps/docs/security-howto.xml
++++ b/webapps/docs/security-howto.xml
+@@ -454,10 +454,12 @@
+ trusted network is used for all of the cluster related network traffic. It
+ is not safe to run a cluster on a insecure, untrusted network.</p>
+
+- <p>If you are operating on an untrusted network or would prefer to
+- exercise an over-abundance of caution, you can use the
++ <p>If you require confidentiality and/or integrity protection then you can
++ use the
+ <a href="config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes">EncryptInterceptor</a>
+- to encrypt traffic between nodes.</p>
++ to encrypt traffic between nodes. This interceptor does not protect
++ against all the risks of running on an untrusted network, particularly
++ DoS attacks.</p>
+ </subsection>
+ </section>
+
=====================================
debian/patches/series
=====================================
@@ -15,3 +15,6 @@ CVE-2021-30640.patch
CVE-2021-33037.patch
CVE-2021-41079.patch
CVE-2021-42340.patch
+CVE-2022-23181.patch
+CVE-2022-29885.patch
+CVE-2021-43980.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/e56d467a6bc219800412e4dadfb556d3f64cc43b...3b0f9f4314cfb1738374d76b200e43695b0b79db
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/e56d467a6bc219800412e4dadfb556d3f64cc43b...3b0f9f4314cfb1738374d76b200e43695b0b79db
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20221029/a11484e8/attachment.htm>
More information about the pkg-java-commits
mailing list