|Related CVEs||CVE-2021-30640 CVE-2022-42252|
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
If Apache Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This update fixes a regression due to the fix for CVE-2021-30640.
For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u1.
We recommend that you upgrade your tomcat7 packages.
Further information about Extended LTS security advisories can be found at: debian Extended Long term support