Uploaded image for project: 'Talend Component Kit'
  1. Talend Component Kit
  2. TCOMP-2765

Upgrade tomcat to from 9.0.87 to 9.0.93

Apply templateInsert Lucidchart Diagram
    XMLWordPrintable

Details

    • All
    • GreenHopper Ranking:
      0|i2yct7:
    • 9223372036854775807
    • Small

    Description

      Title: CVE-2024-34750 org.apache.tomcat:tomcat-coyote 9.0.87

      Defect Dojo link: https://defectdojo.dagali.talendinc.com/finding/452586

      Severity: High

      Due Date: Oct. 4, 2024

      CWE: CWE-400

      CVE: CVE-2024-34750

      CVSSv3 Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

      Product/Engagement/Test: Studio / trivy-sca_studio / Trivy Scan

      Vulnerable Component: org.apache.tomcat:tomcat-coyote 9.0.87

      Source File: plugins/org.talend.designer.maven.repo.tcksdk_8.0.2.20240706_1616/repository/maven_repository/org/apache/tomcat/tomcat-coyote/9.0.87/tomcat-coyote-9.0.87.jar

      Description:
      tomcat: Improper Handling of Exceptional Conditions
      {}Target:{} Java
      {}Type:{} jar
      {}Fixed version:{} 11.0.0-M21, 10.1.25, 9.0.90

      Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

      This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

      Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

      Mitigation:
      11.0.0-M21, 10.1.25, 9.0.90

      References:
      https://access.redhat.com/security/cve/CVE-2024-34750
      https://github.com/apache/tomcat
      https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2
      https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3
      https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f
      https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
      https://nvd.nist.gov/vuln/detail/CVE-2024-34750
      https://tomcat.apache.org/security-10.html
      https://tomcat.apache.org/security-11.html
      https://tomcat.apache.org/security-9.html
      https://www.cve.org/CVERecord?id=CVE-2024-34750

      Reporter: (infosec-scans) (security-scan@talend.com)

       

      TCK tomcat usage

      https://tomcat.apache.org/
      Tomcat is Jakarta Server Pages™ is an open source implementation of the Jakarta technology.
      It helps software developers create dynamically generated web pages based on HTML, XML, or other document types.
      TCK is using it for its server. 

      Attachments

        Activity

          People

            acatoire Axel Catoire
            zyuan Zheng Huang Yuan
            Axel Catoire Axel Catoire
            Axel Catoire, Yueyan Yin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: