search

openzipkin / zipkin

Zipkin is a distributed tracing system
https://zipkin.io/
Apache License 2.0
17.03k stars 3.09k forks source link

Multiple critical/high severity vulnerabilities with apache tomcat_tomcat-embed-core #3396

Closed 40Cakes closed 3 years ago

40Cakes commented 3 years ago

Describe the Bug

Multiple high severity vulnerabilities with apache tomcat_tomcat-embed-core - we use Prisma Cloud in our environment to scan our builds, it has detected the following issues with the Zipkin image below:

I was wondering if these bugs are exploitable in the context of Zipkin, and if they are - is it possible at all to upgrade tomcat_tomcat-embed-core to a newer/latest version?

+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS |             PACKAGE             | VERSION |               STATUS                |  PUBLISHED  | DISCOVERED | GRACE DAYS |                    DESCRIPTION                     |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-1938  | critical | 9.80 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.31, 8.5.51, 7.0.100    | > 1 years   | < 1 hour   | -627       | When using the Apache JServ Protocol (AJP), care   |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | must be taken when trusting incoming connections   |
|                |          |      |                                 |         |                                     |             |            |            | to Apache Tomcat. Tomcat treats AJP connections as |
|                |          |      |                                 |         |                                     |             |            |            | h...                                               |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2021-41079 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.44, 8.5.64             | 70 days     | < 1 hour   | -57        | Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43  |
|                |          |      |                                 |         | 70 days ago                         |             |            |            | and 10.0.0-M1 to 10.0.2 did not properly validate  |
|                |          |      |                                 |         |                                     |             |            |            | incoming TLS packets. When Tomcat was configured   |
|                |          |      |                                 |         |                                     |             |            |            | t...                                               |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2021-25122 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 10.0.2, 9.0.43, 8.5.63     | > 8 months  | < 1 hour   |            | When responding to new h2c connection requests,    |
|                |          |      |                                 |         | > 8 months ago                      |             |            |            | Apache Tomcat versions 10.0.0-M1 to 10.0.0,        |
|                |          |      |                                 |         |                                     |             |            |            | 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could       |
|                |          |      |                                 |         |                                     |             |            |            | duplicate req...                                   |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-17527 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.40, 8.5.60             | > 11 months | < 1 hour   |            | While investigating bug 64830 it was discovered    |
|                |          |      |                                 |         | > 11 months ago                     |             |            |            | that Apache Tomcat 10.0.0-M1 to 10.0.0-M9,         |
|                |          |      |                                 |         |                                     |             |            |            | 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could       |
|                |          |      |                                 |         |                                     |             |            |            | re-use an HTTP...                                  |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-13935 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.37, 8.5.57, 7.0.105    | > 1 years   | < 1 hour   | -486       | The payload length in a WebSocket frame was not    |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | correctly validated in Apache Tomcat 10.0.0-M1 to  |
|                |          |      |                                 |         |                                     |             |            |            | 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and |
|                |          |      |                                 |         |                                     |             |            |            | 7...                                               |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-13934 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.37, 8.5.57             | > 1 years   | < 1 hour   | -486       | An h2c direct connection to Apache Tomcat          |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and     |
|                |          |      |                                 |         |                                     |             |            |            | 8.5.1 to 8.5.56 did not release the HTTP/1.1       |
|                |          |      |                                 |         |                                     |             |            |            | processor after ...                                |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-11996 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.36, 8.5.56             | > 1 years   | < 1 hour   | -504       | A specially crafted sequence of HTTP/2 requests    |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5,      |
|                |          |      |                                 |         |                                     |             |            |            | 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could       |
|                |          |      |                                 |         |                                     |             |            |            | trigger hig...                                     |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2019-17563 | high     | 7.50 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.30, 8.5.50, 7.0.99     | > 1 years   | < 1 hour   | -690       | When using FORM authentication with Apache Tomcat  |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to   |
|                |          |      |                                 |         |                                     |             |            |            | 7.0.98 there was a narrow window where an attacker |
|                |          |      |                                 |         |                                     |             |            |            | ...                                                |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2021-25329 | high     | 7.00 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 10.0.2, 9.0.43, 8.5.63,... | > 8 months  | < 1 hour   |            | The fix for CVE-2020-9484 was incomplete. When     |
|                |          |      |                                 |         | > 8 months ago                      |             |            |            | using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1  |
|                |          |      |                                 |         |                                     |             |            |            | to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107    |
|                |          |      |                                 |         |                                     |             |            |            | with ...                                           |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2020-9484  | high     | 7.00 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.43, 8.5.63, 7.0.108    | > 1 years   | < 1 hour   |            | When using Apache Tomcat versions 10.0.0-M1 to     |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and |
|                |          |      |                                 |         |                                     |             |            |            | 7.0.0 to 7.0.103 if a                              |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+
| CVE-2019-12418 | high     | 7.00 | apache tomcat_tomcat-embed-core | 8.5.46  | fixed in 9.0.29, 8.5.49, 7.0.99     | > 1 years   | < 1 hour   | -690       | When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to    |
|                |          |      |                                 |         | > 1 years ago                       |             |            |            | 8.5.47, 7.0.0 and 7.0.97 is configured with the    |
|                |          |      |                                 |         |                                     |             |            |            | JMX Remote Lifecycle Listener, a local attacker    |
|                |          |      |                                 |         |                                     |             |            |            | withou...                                          |
+----------------+----------+------+---------------------------------+---------+-------------------------------------+-------------+------------+------------+----------------------------------------------------+

Steps to Reproduce

N/A

Expected Behaviour

No vulnerabilities detected.

llinder commented 3 years ago

Turns out Thrift brought in Tomcat for some tests :-( Released 2.23.9 that doesn't include these transitive dependencies.