| Package | tomcat7 |
|---|---|
| Version | 7.0.56-3+really7.0.109-1+deb8u1 (jessie) |
| Related CVEs | CVE-2021-30640 CVE-2022-42252 |
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
CVE-2022-42252
If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.
CVE-2021-30640
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm. This update fixes a
regression due to the fix for CVE-2021-30640.
For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u1.
We recommend that you upgrade your tomcat7 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.