{ "threat_severity" : "Moderate", "public_date" : "2021-03-01T00:00:00Z", "bugzilla" : { "description" : "tomcat: Request mix-up with h2c", "id" : "1934032", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1934032" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.", "A flaw was found in Apache Tomcat. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. The highest threat from this vulnerability is to data confidentiality." ], "statement" : "Red Hat Enterprise Linux 8's Identity Management and Certificate System are using a vulnerable version of Tomcat that is bundled into the `pki-servlet-engine` component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 are not affected by this flaw because HTTP/2 is not supported in the shipped version of tomcat in those packages.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat", "impact" : "low" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2562", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-ecj-0:4.12.0-3.redhat_2.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-native-0:1.2.26-3.redhat_3.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-ecj-0:4.12.0-3.redhat_2.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-native-0:1.2.26-3.redhat_3.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el8jws" }, { "product_name" : "Red Hat support for Spring Boot 2.3.10", "release_date" : "2021-09-09T00:00:00Z", "advisory" : "RHSA-2021:3425", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "tomcat" } ], "package_state" : [ { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "impact" : "low" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "low" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-25122\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-25122\nhttp://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3Cb7626398-5e6d-1639-4e9e-e41b34af84de%40apache.org%3E\nhttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63\nhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43" ], "name" : "CVE-2021-25122", "csaw" : false }