An IT safety alert replace for a identified vulnerability has been issued for Apache Tomcat. You can examine which working techniques and merchandise are affected by the safety hole right here at information.de.
Federal workplace for Security in Information Technology (BSI) issued an replace on May 23, 2024 for the Apache Tomcat safety vulnerability identified on March 13, 2024. The safety vulnerability impacts the Linux working system and merchandise Debian Linux, Amazon Linux 2, Red Hat Enterprise Linux , SUSE Linux, Oracle Linux, IBM Power Hardware Management Console, IBM Integration Bus, Apache Tomcat and SolarWinds Security Event Manager.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: Oracle Linux Security Advisory ELSA-2024-3307 (From 24 May 2024). Some helpful hyperlinks are listed later on this article.
Apache Tomcat Security Advisory – Risk: Medium
Risk degree: 3 (reasonable)
CVSS Base Score: 7.5
CVSS provisional rating: 6.5
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of safety vulnerabilities in pc techniques. The CVSS normal makes it attainable to check potential or precise safety dangers based mostly on varied metrics to create a precedence checklist for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. For momentary impact, body situations that will change over time are thought of within the check. The severity of the vulnerability mentioned right here is classed as “reasonable” in accordance with the CVSS with a base rating of seven.5.
Apache Tomcat Bug: Multiple vulnerabilities permit a denial of service
Apache Tomcat is a cross-platform net utility server.
A distant, unknown attacker might exploit a number of vulnerabilities in Apache Tomcat to carry out a denial of service assault.
Vulnerabilities are recognized by CVE (Common Vulnerabilities and Exposures) serial numbers. CVE-2024-23672 and CVE-2024-24549 on the market.
Systems affected by the safety hole at a look
working system
Linux
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux (cpe:/o:use:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
IBM Power Hardware Management Console v10 (cpe:/a:ibm:hardware_management_console)
IBM Integration Bus Apache Tomcat Apache Tomcat Apache Tomcat SolarWinds Security Event Manager
General suggestions for addressing IT safety gaps
- Users of the affected apps ought to keep up-to-date. When safety holes are identified, producers are required to repair them rapidly by growing a patch or workaround. If safety patches can be found, set up them instantly.
- For data, see the sources listed within the subsequent part. This typically comprises extra details about the most recent model of the software program in query and the supply of safety patches or efficiency suggestions.
- If you could have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to often test the desired sources to see if a brand new safety replace is out there.
Sources for updates, patches and workarounds
Here you will see that some hyperlinks with details about bug studies, safety fixes and workarounds.
Oracle Linux Security Advisory ELSA-2024-3307 vom 2024-05-24 (23.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:3308 vom 2024-05-23 (22.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:3307 vom 2024-05-23 (22.05.2024)
For extra data, see:
IBM Security Bulletin 7153639 vom 2024-05-17 (16.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1917 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1916 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1914 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1913 vom 2024-05-07 (07.05.2024)
For extra data, see:
Debian Security Advisory DSA-5667 vom 2024-04-19 (21.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1345-1 vom 2024-04-18 (18.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALAS-2024-2514 vom 2024-04-18 (17.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALASTOMCAT9-2024-013 vom 2024-04-18 (17.04.2024)
For extra data, see:
Debian Security Advisory DSA-5665 vom 2024-04-18 (17.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALASTOMCAT8.5-2024-019 vom 2024-04-18 (17.04.2024)
For extra data, see:
IBM Security Bulletin 7148394 vom 2024-04-16 (16.04.2024)
For extra data, see:
IBM Security Bulletin 7148395 vom 2024-04-16 (16.04.2024)
For extra data, see:
Release notes for SEM 2024.2 from 2024-04-17 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1204-1 vom 2024-04-11 (11.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1205-1 vom 2024-04-11 (11.04.2024)
For extra data, see:
Debian Security Advisory DLA-3779 vom 2024-04-06 (07.04.2024)
For extra data, see:
IBM Security Bulletin 7147535 vom 2024-04-05 (04.04.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1324 vom 2024-03-18 (18.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1325 vom 2024-03-18 (18.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1318 vom 2024-03-18 (17.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1319 vom 2024-03-18 (17.03.2024)
For extra data, see:
oss-sec electronic mail mailing checklist archives vom 2024-03-13 (13.03.2024)
For extra data, see:
oss-sec mailing checklist archives vom 2024-03-13 (13.03.2024)
For extra data, see:
Apache Pony Mail dated 2024-03-13 (13.03.2024)
For extra data, see:
Apache Pony Mail dated 2024-03-13 (13.03.2024)
For extra data, see:
Version historical past of this safety alert
This is model 14 of this IT safety discover for Apache Tomcat. If additional updates are introduced, this doc might be up to date. You can examine adjustments or additions on this model historical past.
March 13, 2024 – First model
03/17/2024 – New updates from Red Hat have been added
03/18/2024 – New updates from Red Hat have been added
April 4, 2024 – New updates from IBM-APAR and IBM have been added
04/07/2024 – New updates from Debian added
April 11, 2024 – New updates from SUSE added
April 16, 2024 – Added new updates from IBM
April 17, 2024 – Added new updates from Amazon and Debian
April 18, 2024 – New updates from SUSE added
April 21, 2024 – New updates from Debian added
May 7, 2024 – New updates from Red Hat have been added
May 16, 2024 – New updates from IBM added
05/22/2024 – New updates from Red Hat have been added
May 23, 2024 – New Oracle Linux updates added
+++ Editorial observe: This doc is predicated on present BSI information and might be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you will see that sizzling information, present movies and a direct line to the editorial staff.
kns/roj/information.de