ELA-735-1 tomcat7 security update

request smuggling

Version7.0.56-3+really7.0.109-1+deb8u1 (jessie)
Related CVEs CVE-2021-30640 CVE-2022-42252

Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.


If Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not
reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse
proxy that also failed to reject the request with the invalid header.


A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm. This update fixes a
regression due to the fix for CVE-2021-30640.

For Debian 8 jessie, these problems have been fixed in version 7.0.56-3+really7.0.109-1+deb8u1.

We recommend that you upgrade your tomcat7 packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support