Important: tomcat8

Issue Overview:

2024-04-01: CVE-2019-0232 was removed from this advisory.

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to ‘/foo/’ when the user requested ‘/foo’) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

Affected Packages:

tomcat8

Issue Correction:
Run yum update tomcat8 to update your system.

New Packages:

noarch:  
    tomcat8-8.5.40-1.79.amzn1.noarch  
    tomcat8-docs-webapp-8.5.40-1.79.amzn1.noarch  
    tomcat8-el-3.0-api-8.5.40-1.79.amzn1.noarch  
    tomcat8-admin-webapps-8.5.40-1.79.amzn1.noarch  
    tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1.noarch  
    tomcat8-log4j-8.5.40-1.79.amzn1.noarch  
    tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1.noarch  
    tomcat8-webapps-8.5.40-1.79.amzn1.noarch  
    tomcat8-lib-8.5.40-1.79.amzn1.noarch  
    tomcat8-javadoc-8.5.40-1.79.amzn1.noarch  
  
src:  
    tomcat8-8.5.40-1.79.amzn1.src  

Additional References

Red Hat: CVE-2018-11784, CVE-2019-0199

Mitre: CVE-2018-11784, CVE-2019-0199