ELA-965-1 tomcat7 security update

denial of service

2023-09-25
Packagetomcat7
Version7.0.56-3+really7.0.109-1+deb8u4 (jessie)
Related CVEs CVE-2023-24998 CVE-2023-41080


Two security vulnerabilities were discovered in Apache Tomcat, a servlet and JSP engine.

CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to
the number of request parts processed. This resulted in the possibility of
an attacker triggering a DoS with a malicious upload or series of uploads.

CVE-2023-41080

If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attacker's choice.


For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u4.

We recommend that you upgrade your tomcat7 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.