An IT safety alert replace for a identified vulnerability has been issued for Apache Tomcat. You can learn an outline of the safety hole together with the newest updates and details about affected Linux techniques and merchandise right here.
Federal workplace for Security in Information Technology (BSI) revealed an replace on May 16, 2024 for the Apache Tomcat safety vulnerability identified on March 13, 2024. The safety vulnerability impacts the Linux working system and merchandise Debian Linux, Amazon Linux 2, Red Hat Enterprise Linux, SUSE Linux, IBM Power Hardware Management Console, IBM Integration Bus, Apache Tomcat and SolarWinds Security Event Manager.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability may be discovered right here: IBM Security Bulletin 7153639 (From 17 May 2024). Some helpful sources are listed later on this article.
Apache Tomcat Security Advisory – Risk: Medium
Risk stage: 3 (average)
CVSS Base Score: 7.5
CVSS provisional rating: 6.5
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop techniques. The CVSS customary makes it doable to match potential or precise safety dangers primarily based on varied metrics to create a precedence listing for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. For non permanent impact, body situations which will change over time are thought of within the check. According to CVSS, the chance of the vulnerability talked about right here is evaluated as “inner” with a base rating of seven.5.
Apache Tomcat Bug: Multiple vulnerabilities enable a denial of service
Apache Tomcat is a cross-platform net utility server.
A distant, unknown attacker may exploit a number of vulnerabilities in Apache Tomcat to carry out a denial of service assault.
Vulnerabilities are recognized by CVE (Common Vulnerabilities and Exposures) ID numbers. CVE-2024-23672 and CVE-2024-24549 on the market.
Systems affected by the safety hole at a look
working system
Linux
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
SUSE Linux (cpe:/o:use:suse_linux)
IBM Power Hardware Management Console v10 (cpe:/a:ibm:hardware_management_console)
IBM Integration Bus Apache Tomcat Apache Tomcat Apache Tomcat SolarWinds Security Event Manager
Common steps to deal with IT safety gaps
- Users of affected techniques ought to keep up-to-date. When safety holes are identified, producers are required to repair them shortly by growing a patch or workaround. If safety patches can be found, set up them instantly.
- For data, see the sources listed within the subsequent part. This typically incorporates further details about the newest model of the software program in query and the supply of safety patches or efficiency suggestions.
- If you’ve gotten any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to usually verify the required sources to see if a brand new safety replace is obtainable.
Manufacturer details about updates, patches and workarounds
Here you can find some hyperlinks with details about bug stories, safety fixes and workarounds.
IBM Security Bulletin 7153639 vom 2024-05-17 (16.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1917 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1916 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1914 vom 2024-05-07 (07.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1913 vom 2024-05-07 (07.05.2024)
For extra data, see:
Debian Security Advisory DSA-5667 vom 2024-04-19 (21.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1345-1 vom 2024-04-18 (18.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALAS-2024-2514 vom 2024-04-18 (17.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALASTOMCAT9-2024-013 vom 2024-04-18 (17.04.2024)
For extra data, see:
Debian Security Advisory DSA-5665 vom 2024-04-18 (17.04.2024)
For extra data, see:
Amazon Linux Security Advisory ALASTOMCAT8.5-2024-019 vom 2024-04-18 (17.04.2024)
For extra data, see:
IBM Security Bulletin 7148394 vom 2024-04-16 (16.04.2024)
For extra data, see:
IBM Security Bulletin 7148395 vom 2024-04-16 (16.04.2024)
For extra data, see:
Release notes for SEM 2024.2 from 2024-04-17 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1204-1 vom 2024-04-11 (11.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1205-1 vom 2024-04-11 (11.04.2024)
For extra data, see:
Debian Security Advisory DLA-3779 vom 2024-04-06 (07.04.2024)
For extra data, see:
IBM Security Bulletin 7147535 vom 2024-04-05 (04.04.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1324 vom 2024-03-18 (18.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1325 vom 2024-03-18 (18.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1318 vom 2024-03-18 (17.03.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:1319 vom 2024-03-18 (17.03.2024)
For extra data, see:
oss-sec mailing listing archives vom 2024-03-13 (13.03.2024)
For extra data, see:
oss-sec mailing listing archives vom 2024-03-13 (13.03.2024)
For extra data, see:
Apache Pony Mail dated 2024-03-13 (13.03.2024)
For extra data, see:
Apache Pony Mail dated 2024-03-13 (13.03.2024)
For extra data, see:
Version historical past of this safety alert
This is model 12 of this IT safety bulletin for Apache Tomcat. This doc shall be up to date as extra updates are introduced. You can examine adjustments or additions on this model historical past.
March 13, 2024 – First model
03/17/2024 – New updates from Red Hat have been added
03/18/2024 – New updates from Red Hat added
April 4, 2024 – New updates from IBM-APAR and IBM have been added
04/07/2024 – New updates from Debian added
April 11, 2024 – New updates from SUSE added
April 16, 2024 – Added new updates from IBM
April 17, 2024 – Added new updates from Amazon and Debian
April 18, 2024 – New updates from SUSE added
April 21, 2024 – New updates from Debian added
May 7, 2024 – New updates from Red Hat have been added
May 16, 2024 – New updates from IBM added
+++ Editorial word: This doc is predicated on present BSI knowledge and shall be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
comply with News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you can find sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de