ELA-735-1 tomcat7 security update

request smuggling

2022-11-20
Packagetomcat7
Version7.0.56-3+really7.0.109-1+deb8u1 (jessie)
Related CVEs CVE-2021-30640 CVE-2022-42252


Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

CVE-2022-42252

If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.

CVE-2021-30640

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm. This update fixes a
regression due to the fix for CVE-2021-30640.


For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u1.

We recommend that you upgrade your tomcat7 packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support