{
  "threat_severity" : "Moderate",
  "public_date" : "2021-01-14T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: Information disclosure when using NTFS file system",
    "id" : "1917209",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1917209"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.", "A flaw was found in Apache Tomcat. When serving resources from a network location using the NTFS file system, it was possible to bypass security constraints and view the source code for JSPs in some configurations. The root cause was the unexpected behavior of the JRE API File.getCanonicalPath(), which was caused by the inconsistent behavior of the Windows API (FindFirstFileW) in some circumstances. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "In Red Hat OpenStack Platform's OpenDaylight, tomcat is disabled by default.  Further, ODL deployments are not supported on untrusted administrator networks; even if tomcat is enabled, if random users can access it, this would be in an unsupported configuration. For this reason, the RHOSP impact has been reduced and no update will be provided at this time for the ODL tomcat package.\nThis flaw does not affect tomcat or pki-servlet-engine as shipped with Red Hat Enterprise Linux 6, 7, or 8 because the functionality involving FindFirstFileW() is specific to the Windows native code. Additionally, RHEL is not shipped with NTFS support.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.11",
    "release_date" : "2022-07-07T00:00:00Z",
    "advisory" : "RHSA-2022:5532",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "tomcat",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0495",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4",
    "package" : "tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7",
    "package" : "jws5-tomcat-0:9.0.36-9.redhat_8.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7",
    "package" : "jws5-tomcat-native-0:1.2.25-3.redhat_3.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8",
    "package" : "jws5-tomcat-0:9.0.36-9.redhat_8.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8",
    "release_date" : "2021-02-11T00:00:00Z",
    "advisory" : "RHSA-2021:0494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8",
    "package" : "jws5-tomcat-native-0:1.2.25-3.redhat_3.el8jws"
  }, {
    "product_name" : "Red Hat support for Spring Boot 2.3.10",
    "release_date" : "2021-09-09T00:00:00Z",
    "advisory" : "RHSA-2021:3425",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Decision Manager 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat support for Spring Boot",
    "fix_state" : "Affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-24122\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-24122\nhttp://mail-archives.apache.org/mod_mbox/tomcat-announce/202101.mbox/%3Cf3765f21-969d-7f21-e34a-efc106175373%40apache.org%3E\nhttp://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.107\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.60\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.40" ],
  "name" : "CVE-2021-24122",
  "csaw" : false
}