Addressing Tomcat Vulnerabilities in End-of-Life Ubuntu Systems
Apache Tomcat is a widely used open-source web server and servlet container, but like any software, it is not immune to vulnerabilities. Canonical has released security updates to address multiple Tomcat vulnerabilities across different releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. These vulnerabilities, if exploited could lead to severe consequences including denial of service, arbitrary code execution, and disclosure of sensitive information.
In this article, we explore the details of these vulnerabilities and provide guidance on how to protect your systems with essential security updates and extended support.
Tomcat Vulnerabilities Patched in Ubuntu
CVE-2020-9484 (CVSS v3 Severity Score: 7.0 High)
A vulnerability was discovered in Tomcat where it incorrectly handled certain uncommon PersistenceManager with FileStore configurations. This issue could potentially allow a remote attacker to execute arbitrary code. It only affected Tomcat 8 running on Ubuntu 18.04.
CVE-2021-25122 (CVSS v3 Severity Score: 7.5 High)
Another vulnerability was found in Tomcat’s handling of certain HTTP/2 connection requests. A remote attacker could leverage this flaw to obtain incorrect responses that might contain sensitive information. This vulnerability also affected Tomcat 8 on Ubuntu 18.04 LTS. The improper handling of HTTP/2 requests can lead to information leakage, posing a significant risk to the confidentiality of data.
CVE-2021-41079 (CVSS v3 Severity Score: 7.5 High)
Thomas Wozenilek identified a vulnerability in Tomcat related to the handling of certain TLS packets. This issue could potentially allow a remote attacker to cause a denial of service (DoS) attack. This vulnerability was specific to Tomcat 8 on Ubuntu 18.04. Denial of service attacks can disrupt the availability of web services, causing significant operational issues.
CVE-2022-23181 (CVSS v3 Severity Score: 7.0 High)
Trung Pham discovered a race condition in Tomcat when handling session files with FileStore. This vulnerability could allow a remote attacker to execute arbitrary code. It affected Tomcat 8 on Ubuntu 16.04 and 18.04, as well as Tomcat 9 on Ubuntu 18.04 LTS and 20.04 LTS.
CVE-2022-29885 (CVSS v3 Severity Score: 7.5 High)
A vulnerability was identified in Tomcat’s documentation, which incorrectly stated that EncryptInterceptor provided availability protection over untrusted networks. This misinformation could allow a remote attacker to cause a denial of service, even when EncryptInterceptor was in use. The issue affected Tomcat 8 on Ubuntu 18.04 LTS and Tomcat 9 on Ubuntu 18.04, 20.04 LTS, and 22.04 LTS.
Protecting Your Ubuntu Systems
Given the risks associated with these vulnerabilities, it is essential to ensure that your Tomcat installation is up to date with the latest security patches. For supported Ubuntu releases, such as Ubuntu 22.04 LTS and 20.04 LTS, security updates are available through the standard repository. Regularly applying these updates helps mitigate the risks posed by known vulnerabilities.
However, Ubuntu 16.04 and 18.04 have reached their end of life (EOL) and no longer receive standard security updates. If you are running these versions, you need to consider upgrading to a supported release. Alternatively, you can opt for extended support services.
Extended Lifecycle Support (ELS) with TuxCare
TuxCare offers Extended Lifecycle Support (ELS) for Ubuntu 16.04 and 18.04, providing automated security patching for up to five years after the official end of life date. This service covers a wide range of packages, including the Linux kernel, Tomcat, glibc, OpenSSL, Python, OpenJDK, and more. With TuxCare’s ELS, your systems remain protected from emerging threats, ensuring a secure computing environment even beyond the standard support period.
Conclusion
Tomcat vulnerabilities can pose significant risks to your web applications and data. By staying informed about these vulnerabilities and promptly applying security updates, you can protect your systems from potential attacks. For systems running on EOL versions of Ubuntu, extended support options like TuxCare’s ELS provide a valuable solution to maintain security and compliance.
Learn about the dangers of running end of life Linux in this guide.
Source: USN-6943-1