|Version||8.0.14-1+deb8u23 (jessie), 8.5.54-0+deb9u9 (stretch)|
|Related CVEs||CVE-2022-23181 CVE-2022-29885 CVE-2022-42252|
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The version of Tomcat 8 in Jessie was only affected by CVE-2022-23181.
If Apache Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
The documentation of Apache Tomcat for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.
For Debian 8 jessie, these problems have been fixed in version 8.0.14-1+deb8u23.
For Debian 9 stretch, these problems have been fixed in version 8.5.54-0+deb9u9.
We recommend that you upgrade your tomcat8 packages.
Further information about Extended LTS security advisories can be found at: debian Extended Long term support