Alert GCSA-21076 - Aggiornamento di sicurezza per Apache Tomcat

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************************************************************

alert ID: GCSA-21076
data: 15 luglio 2021
titolo: Aggiornamento di sicurezza per Apache Tomcat

******************************************************************

:: Descrizione del problema

Sono state rilasciate nuove versioni del server web Apache Tomcat.
Con queste versioni vengono risolte tre vulnerabilita'

CVE-2021-30639 DoS
CVE-2021-30640 JNDI realm authentication weakness
CVE-2021-33037 HTTP request smuggling


:: Software interessato

Apache Tomcat dalla versione 10.0.0-M1 to 10.0.6
Apache Tomcat dalla versione 9.0.0.M1 to 9.0.46
Apache Tomcat dalla versione 8.5.0 to 8.5.66
Apache Tomcat dalla versione 7.0.0 to 7.0.108


:: Impatto

Denial of Service (DoS)
Bypass delle funzionalita' di sicurezza (SFB)


:: Soluzioni

Aggiornare alle versioni piu' recenti

Apache Tomcat 10.0.7 o successivi
https://tomcat.apache.org/security-10.html

Apache Tomcat 9.0.48 o successivi
https://tomcat.apache.org/security-9.html

Apache Tomcat 8.5.68 o successivi
https://tomcat.apache.org/security-8.html

Apache Tomcat 7.0.109 o successivi
https://tomcat.apache.org/security-7.html


:: Riferimenti

Apache.org
http://mail-archives.us.apache.org/mod_mbox/www-announce/202107.mbox/%3C82693bd3-f906-7aee-8835-886b78794bfe%40apache.org%3E
http://mail-archives.us.apache.org/mod_mbox/www-announce/202107.mbox/%3C9495f965-1816-a861-84ef-dda165eb1ba8%40apache.org%3E
http://mail-archives.us.apache.org/mod_mbox/www-announce/202107.mbox/%3Cd050b202-b64e-bc6f-a630-2dd83202f23a%40apache.org%3E

Mitre CVE
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037


GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYPAvhAAKCRDBnEyTZRJg
QgedAKCnTTTmXYzjfV1vmAKV1wgVdUxchQCdH8N+PrGlNQhcQlt7fAYfyLG1tYM=
=TSwi
-----END PGP SIGNATURE-----