A safety alert issued for Apache Tomcat has acquired an replace from BSI. You can learn an outline of the safety hole together with the most recent updates and details about affected working methods and merchandise right here.
Federal workplace for Security in Information Technology (BSI) revealed an replace on May 23, 2024 for the Apache Tomcat safety vulnerability recognized on November 28, 2023. The safety vulnerability impacts Linux purposes, MacOS SIEM, IBM Power Hardware Management Console, IBM FlashSystem, IBM Integration Bus, Apache Tomcat, Atlassian Confluence, RESF Rocky Linux, IBM App Connect Enterprise, Atlassian Jira Software and Dell NetWorker.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability might be discovered right here: Red Hat Security Advisory RHSA-2024:3354 (From 24 May 2024). Some helpful assets are listed later on this article.
Apache Tomcat Security Advisory – Risk: Medium
Risk stage: 3 (reasonable)
CVSS Base Score: 7.3
CVSS provisional rating: 6,4
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of pc methods. The CVSS normal makes it potential to match potential or precise safety dangers primarily based on varied metrics to create a precedence checklist for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of the vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. Temporary scores additionally have in mind modifications over time within the threat scenario. The severity of the present vulnerability is classed as “reasonable” based on the CVSS with a base rating of seven.3.
Apache Tomcat Bug: Vulnerability permits safety measures to be bypassed
Apache Tomcat is a cross-platform internet software server.
A distant, unknown attacker may exploit a vulnerability in Apache Tomcat to bypass safety measures.
Vulnerabilities are recognized by a CVE (Common Vulnerabilities and Exposures) ID quantity. CVE-2023-46589 on the market.
Systems affected by the safety hole at a look
Operating methods
Linux, MacOS X, UNIX, Windows
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux (cpe:/o:use:suse_linux)
IBM SAN Volume Controller (cpe:/a:ibm:san_volume_controller)
Oracle Linux (cpe:/o:oracle:linux)
Hitachi Ops Center (cpe:/a:hitachi:ops_center)
IBM Storwize (cpe:/a:ibm:storwize)
IBM QRadar SIEM 7.5 (cpe:/a:ibm:qradar_siem)
IBM Power Hardware Management Console (cpe:/a:ibm:hardware_management_console)
IBM FlashSystem (cpe:/a:ibm:flashsystem)
IBM Integration Bus 10.1-10.1.0.2 (cpe:/a:ibm:integration_bus)
Apache Tomcat Apache Tomcat Apache Tomcat for Atlassian Confluence Atlassian Confluence Atlassian Confluence RESF Rocky Linux (cpe:/o:resf:rocky_linux)
IBM App Connect Enterprise (cpe:/a:ibm:app_connect_enterprise)
Atlassian Jira Software Atlassian Jira Software Atlassian Confluence Dell NetWorker Server
General suggestions for addressing IT safety gaps
- Users of the affected apps ought to keep up-to-date. When safety holes are recognized, producers are required to repair them shortly by creating a patch or workaround. When new safety updates can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically comprises further details about the most recent model of the software program in query and the provision of safety patches or efficiency ideas.
- If you will have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to frequently examine the desired sources to see if a brand new safety replace is out there.
Sources for updates, patches and workarounds
Here you’ll find some hyperlinks with details about bug reviews, safety fixes and workarounds.
Red Hat Security Advisory RHSA-2024:3354 vom 2024-05-24 (23.05.2024)
For extra info, see:
Dell Security Advisory DSA-2024-208 vom 2024-05-07 (06.05.2024)
For extra info, see:
IBM Security Bulletin 7114769 vom 2024-04-30 (01.05.2024)
For extra info, see:
Debian Security Advisory DSA-5667 vom 2024-04-19 (21.04.2024)
For extra info, see:
Debian Security Advisory DSA-5665 vom 2024-04-18 (17.04.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1324 vom 2024-03-18 (18.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1325 vom 2024-03-18 (18.03.2024)
For extra info, see:
Amazon Linux Security Advisory ALASTOMCAT8.5-2024-018 vom 2024-03-19 (18.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1318 vom 2024-03-18 (17.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1319 vom 2024-03-18 (17.03.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-1134 vom 2024-03-07 (07.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1092 vom 2024-03-05 (05.03.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:1134 vom 2024-03-05 (05.03.2024)
For extra info, see:
Atlassian Security Bulletin February 2024 (20.02.2024)
For extra info, see:
Jira Security Advisory (20.02.2024)
For extra info, see:
IBM Security Bulletin 7118625 dated 2024-02-19 dated 2024-02-18 (18.02.2024)
For extra info, see:
SUSE Security Update SUSE-SU-2024:0472-1 vom 2024-02-14 (14.02.2024)
For extra info, see:
Rocky Linux Security Advisory RLSA-2024:0539 vom 2024-02-12 (12.02.2024)
For extra info, see:
Oracle Linux Security Advisory ELSA-2024-0539 vom 2024-01-30 (29.01.2024)
For extra info, see:
Hitachi Risk Information HITACHI-SEC-2024-107 vom 2024-01-30 (29.01.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:0539 vom 2024-01-29 (28.01.2024)
For extra info, see:
Red Hat Security Advisory RHSA-2024:0532 vom 2024-01-29 (28.01.2024)
For extra info, see:
SUSE Security Update SUSE-SU-2024:0208-1 vom 2024-01-24 (24.01.2024)
For extra info, see:
SUSE Security Update SUSE-SU-2024:0209-1 vom 2024-01-24 (24.01.2024)
For extra info, see:
SUSE Security Update SUSE-SU-2024:0206-1 vom 2024-01-24 (24.01.2024)
For extra info, see:
Amazon Linux Security Advisory ALAS-2024-1909 vom 2024-01-23 (22.01.2024)
For extra info, see:
IBM Security Bulletin 7107754 vom 2024-01-16 (15.01.2024)
For extra info, see:
Debian Security Advisory DLA-3707 vom 2024-01-05 (07.01.2024)
For extra info, see:
IBM Security Bulletin 7105133 vom 2024-01-05 (04.01.2024)
For extra info, see:
IBM Security Bulletin 7099297 vom 2023-12-18 (18.12.2023)
For extra info, see:
Apache Mailing List vom 2023-11-28 (28.11.2023)
For extra info, see:
GitHub Advisory Database vom 2023-11-28 (28.11.2023)
For extra info, see:
Version historical past of this safety alert
This is model 22 of this Apache Tomcat IT safety bulletin. If additional updates are introduced, this doc might be up to date. You can see the modifications made utilizing the model historical past under.
November 28, 2023 – First model
12/18/2023 – New updates from IBM added
January 4, 2024 – New updates from IBM and IBM-APAR added
07.01.2024 – New updates from Debian added
01/15/2024 – New updates from IBM added
01/22/2024 – New updates from Amazon added
01/24/2024 – New updates from SUSE added
01/28/2024 – New updates from Red Hat added
01/29/2024 – New updates from HITACHI added
02/12/2024 – New updates from the Rocky Enterprise Software Foundation have been added
02/14/2024 – New updates from SUSE added
02/18/2024 – New updates from IBM added
02/20/2024 – New updates from Atlassian added
03/05/2024 – New updates from Red Hat have been added
03/07/2024 – New Oracle Linux updates added
03/17/2024 – New updates from Red Hat have been added
03/18/2024 – New updates from Amazon and Red Hat have been added
April 17, 2024 – Added new updates from Debian
April 21, 2024 – New updates from Debian added
May 1, 2024 – New updates from IBM added
May 6, 2024 – New updates from Dell added
05/23/2024 – New updates from Red Hat added
+++ Editorial be aware: This doc is predicated on present BSI knowledge and might be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you’ll find sizzling information, present movies and a direct line to the editorial staff.
kns/roj/information.de