vSphere Replication

 View Only
Back to discussions
Expand all | Collapse all

Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities - vSPhere Replication Latest Version - 8.4.0

  • 1.  Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities - vSPhere Replication Latest Version - 8.4.0

    Posted Mar 19, 2021 02:59 PM
    Hi support, our vulnerabilities scanner report below for our vSphere Replication 8.4.0 latest version.

    Please, help to resolve the below vulnerabilities, how to update the Apache Tomcat?

      Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities
    Description
    The version of Tomcat installed on the remote host is prior to 8.5.63. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory.

    - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. (CVE-2021-25122)

    - When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
     
    Solution
    Upgrade to Apache Tomcat version 8.5.63 or later.


  • 2.  RE: Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities - vSPhere Replication Latest Version - 8.4.0

    Posted Mar 22, 2021 07:17 PM

    any updates please.



  • 3.  RE: Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities - vSPhere Replication Latest Version - 8.4.0

    Posted Jul 13, 2023 04:00 PM

    I've stumbled across your question while seeking the same answer. I have found this:

    https://kb.vmware.com/s/article/2000954

    Which states: "The appropriate method for patching the included Apache Tomcat application is to apply the latest version/patch of vCenter Server. As new versions of vCenter Server are released, the included Apache Tomcat application may be upgraded to a newer version that would address the known vulnerabilities."

    Is that good enough for a POAM? I guess I'm going to find out.