阿里云漏洞库

漏洞描述

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could

cause Tomcat to skip some parts of the recycling process leading to

information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://www.openwall.com/lists/oss-security/2023/10/10/9
https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
https://security.netapp.com/advisory/ntap-20231103-0007/
https://www.debian.org/security/2023/dsa-5521
https://www.debian.org/security/2023/dsa-5522

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	apache	tomcat	*	From (including) 10.1.1	Up to (excluding) 10.1.14
	运行在以下环境
	应用	apache	tomcat	*	From (including) 8.5.0	Up to (excluding) 8.5.94
	运行在以下环境
	应用	apache	tomcat	*	From (including) 9.0.1	Up to (excluding) 9.0.81
	运行在以下环境
	应用	apache	tomcat	10.1.0	-
	运行在以下环境
	应用	apache	tomcat	11.0.0	-
	运行在以下环境
	应用	apache	tomcat	9.0.0	-
	运行在以下环境
	系统	alma_linux_8	tomcat	*		Up to (excluding) 9.0.62-27.el8_9.2
	运行在以下环境
	系统	alma_linux_9	tomcat	*		Up to (excluding) 9.0.62-37.el9_3.1
	运行在以下环境
	系统	amazon_2	tomcat	*		Up to (excluding) 9.0.81-1.amzn2.0.1
	运行在以下环境
	系统	amazon_2023	tomcat9	*		Up to (excluding) 4.0-api-9.0.82-1.amzn2023.0.1
	运行在以下环境
	系统	amazon_AMI	tomcat8	*		Up to (excluding) 3.1-api-8.5.94-1.95.amzn1
	运行在以下环境
	系统	anolis_os_23	tomcat	*		Up to (excluding) 9.0.84-1
	运行在以下环境
	系统	debian	debian_linux	10.0	-
	运行在以下环境
	系统	debian	debian_linux	11.0	-
	运行在以下环境
	系统	debian	debian_linux	12.0	-
	运行在以下环境
	系统	debian_10	tomcat9	*		Up to (excluding) 9.0.31-1~deb10u9
	运行在以下环境
	系统	debian_11	tomcat9	*		Up to (excluding) 9.0.43-2~deb11u7
	运行在以下环境
	系统	debian_12	tomcat9	*		Up to (excluding) 10.1.6-1+deb12u1
	运行在以下环境
	系统	oracle_8	tomcat	*		Up to (excluding) 9.0.62-27.el8_9.2
	运行在以下环境
	系统	oracle_9	tomcat	*		Up to (excluding) 9.0.62-37.el9_3.1
	运行在以下环境
	系统	redhat_8	tomcat	*		Up to (excluding) 9.0.62-27.el8_9.2
	运行在以下环境
	系统	redhat_9	tomcat	*		Up to (excluding) 9.0.62-37.el9_3.1
	运行在以下环境
	系统	suse_12_SP5	tomcat	*		Up to (excluding) 9.0.36-3.111.1

攻击路径

本地
攻击复杂度

困难
权限要求

管控权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

无影响
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-459	清理环节不完整

中危 Apache Tomcat：请求清理期间失败会导致敏感数据泄漏到后续请求 (CVE-2023-42795)

漏洞描述

解决建议

参考链接

受影响软件情况