Lucene search

K
atlassian[email protected]ATLASSIAN:JRA-59887
HistoryFeb 19, 2016 - 12:04 a.m.

Upgrade Tomcat to the latest 8.0.x release

2016-02-1900:04:16
jira.atlassian.com
26

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

81.3%

h3. Summary

We are currently on 8.0.17 and have already been bitten by a bug in it:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57476

We should upgrade to the latest to get the latest bugfixes.

Also, there have been a number of recent CVEs involving Tomcat, most of which involve SecurityManager, which I believe we do not currently use.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763

However, these are related to other aspects of Tomcat:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351 (probably doesn’t affect us)

Updating Tomcat to one of these versions would appear to patch all of the above CVEs:

  • Apache Tomcat 9.0.0.M3
  • Apache Tomcat 8.0.32
  • Apache Tomcat 7.0.68
  • Apache Tomcat 6.0.45

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.009 Low

EPSS

Percentile

81.3%

Related for ATLASSIAN:JRA-59887