Ubuntu Security Notice 5360-1 - It was discovered that Tomcat incorrectly performed input verification. A remote attacker could possibly use this issue to intercept sensitive information. It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. It was discovered that Tomcat did not properly validate the input length. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service.
3436d55d788ad60834f3280cd7d2491a02f126d834178f1f7bb6700121442cf9
=========================================================================
Ubuntu Security Notice USN-5360-1
March 31, 2022
tomcat9 vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Tomcat.
Software Description:
- tomcat9: Apache Tomcat 9 - Servlet and JSP engine
Details:
It was discovered that Tomcat incorrectly performed input verification.
A remote attacker could possibly use this issue to intercept sensitive
information. (CVE-2020-13943, CVE-2020-17527, CVE-2021-25122, CVE-2021-30640)
It was discovered that Tomcat did not properly deserialize untrusted data.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2020-9484, CVE-2021-33037)
It was discovered that Tomcat did not properly validate the input length. An
attacker could possibly use this to trigger an infinite loop, resulting in a
denial of service. (CVE-2020-9494, CVE-2021-25329, CVE-2021-41079)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libtomcat9-embed-java 9.0.31-1ubuntu0.2
libtomcat9-java 9.0.31-1ubuntu0.2
tomcat9 9.0.31-1ubuntu0.2
tomcat9-common 9.0.31-1ubuntu0.2
Ubuntu 18.04 LTS:
libtomcat9-embed-java 9.0.16-3ubuntu0.18.04.2
libtomcat9-java 9.0.16-3ubuntu0.18.04.2
tomcat9 9.0.16-3ubuntu0.18.04.2
tomcat9-common 9.0.16-3ubuntu0.18.04.2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5360-1
CVE-2020-13943, CVE-2020-17527, CVE-2020-9484, CVE-2020-9494,
CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037,
CVE-2021-41079, https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1915911
Package Information:
https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.2
https://launchpad.net/ubuntu/+source/tomcat9/9.0.16-3ubuntu0.18.04.2