Security Advisory

Apache Tomcat Security Update Advisory

  • Nov 19 2024

Overview

An update has been released to address vulnerabilities in Apache Tomcat. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-52316

  • Apache Tomcat versions: 11.0.0-M1 (inclusive) ~ 11.0.0-M26 (inclusive)
  • Apache Tomcat versions: 10.1.0-M1 (inclusive) ~ 10.1.30 (inclusive)
  • Apache Tomcat versions: 9.0.0-M1 (inclusive) ~ 9.0.95 (inclusive)

 

CVE-2024-52317

  • Apache Tomcat versions: 11.0.0-M23 (inclusive) ~ 11.0.0-M26 (inclusive)
  • Apache Tomcat versions: 10.1.27 (inclusive) ~ 10.1.30 (inclusive)
  • Apache Tomcat versions: 9.0.92 (inclusive) ~ 9.0.95 (inclusive)

     

CVE-2024-52318

  • Apache Tomcat version: 11.0.0
  • Apache Tomcat version: 10.1.31
  • Apache Tomcat version: 9.0.96

     

Resolved Vulnerabilities

Vulnerability in the custom Jakarta authentication (ServerAuthContext) configuration in Apache Tomcat that could allow authentication bypass if the authentication failure status is not specified (CVE-2024-52316)

Request and response recycling errors in HTTP/2 requests in Apache Tomcat could lead to request/response confusion between users (CVE-2024-52317)

Malformed Object Recycling and Reuse Vulnerability in Apache Tomcat (CVE-2024-52318)

 

 

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-52316, CVE-2024-52317
 

  • Apache Tomcat version: 11.0.0 or later version
  • Apache Tomcat version: 10.1.31 or later version
  • Apache Tomcat version: 9.0.96 or later version

 

CVE-2024-52318

  • Apache Tomcat version: 11.0.1 or later version
  • Apache Tomcat version: 10.1.33 or later versiont (10.1.32 has not been released.)
  • Apache Tomcat version: 9.0.97 or later version

     

Referenced Sites

[1] CVE-2024-52316 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-52316

[2] [SECURITY] CVE-2024-52316 Apache Tomcat – Authentication Bypass

https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928

[3] CVE-2024-52317 Detail

apache Tomcat – Authentication Bypass https://nvd.nist.gov/vuln/detail/CVE-2024-52317

[4] [SECURITY] CVE-2024-52317 Apache Tomcat – Request and/or response mix-up

https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs

[5] CVE-2024-52318 Detail

apache Tomcat – Request and/or response mix-up https://nvd.nist.gov/vuln/detail/CVE-2024-52318

[6] [SECURITY] CVE-2024-52318 Apache Tomcat – XSS in generated JSPs

https://lists.apache.org/thread/co243cw1nlh6p521c5265cm839wkqdp9

Tags:

Previous Post

Next Post