{ "threat_severity" : "Low", "public_date" : "2021-07-12T00:00:00Z", "bugzilla" : { "description" : "tomcat: JNDI realm authentication weakness", "id" : "1981544", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1981544" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65." ], "statement" : "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Critical flaws.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4863", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package" : "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package" : "jws5-tomcat-native-0:1.2.30-3.redhat_3.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 7", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el7", "package" : "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package" : "jws5-tomcat-0:9.0.50-3.redhat_00004.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package" : "jws5-tomcat-native-0:1.2.30-3.redhat_3.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.6 on RHEL 8", "release_date" : "2021-11-30T00:00:00Z", "advisory" : "RHSA-2021:4861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.6::el8", "package" : "jws5-tomcat-vault-0:1.1.8-4.Final_redhat_00004.1.el8jws" }, { "product_name" : "Red Hat Support for Spring Boot 2.5.10", "release_date" : "2022-04-12T00:00:00Z", "advisory" : "RHSA-2022:1179", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "tomcat" } ], "package_state" : [ { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-30640\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-30640" ], "name" : "CVE-2021-30640", "csaw" : false }