

# Security update for tomcat

Announcement ID: SUSE-SU-2024:1345-1  
Rating: important  
References:

  * bsc#1221385
  * bsc#1221386

  
Cross-References:

  * CVE-2024-23672
  * CVE-2024-24549

  
CVSS scores:

  * CVE-2024-23672 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2024-24549 ( SUSE ):  7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

  
Affected Products:

  * Development Tools Module 15-SP5
  * openSUSE Leap 15.5
  * SUSE Enterprise Storage 7.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Desktop 15 SP5
  * SUSE Linux Enterprise High Performance Computing 15 SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise High Performance Computing 15 SP3
  * SUSE Linux Enterprise High Performance Computing 15 SP4
  * SUSE Linux Enterprise High Performance Computing 15 SP5
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  * SUSE Linux Enterprise Micro 5.5
  * SUSE Linux Enterprise Real Time 15 SP5
  * SUSE Linux Enterprise Server 15 SP2
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  * SUSE Linux Enterprise Server 15 SP3
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
  * SUSE Linux Enterprise Server 15 SP4
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4
  * SUSE Linux Enterprise Server 15 SP5
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4
  * SUSE Linux Enterprise Server for SAP Applications 15 SP5
  * SUSE Manager Server 4.3
  * SUSE Manager Server 4.3 Module 4.3
  * SUSE Package Hub 15 15-SP5
  * Web and Scripting Module 15-SP5

  
  
An update that solves two vulnerabilities can now be installed.

## Description:

This update for tomcat fixes the following issues:

  * CVE-2024-24549: Fixed denial of service during header validation for HTTP/2
    stream (bsc#1221386)
  * CVE-2024-23672: Fixed denial of service due to malicious WebSocket client
    keeping connection open (bsc#1221385)

Other fixes: \- Update to Tomcat 9.0.87  
* Catalina \+ Fix: Minor performance improvement for building filter chains.
Based on ideas from #702 by Luke Miao. (remm) \+ Fix: Align error handling for
Writer and OutputStream. Ensure use of either once the response has been
recycled triggers a NullPointerException provided that discardFacades is
configured with the default value of true. (markt) \+ Fix: 68692: The standard
thread pool implementations that are configured using the Executor element now
implement ExecutorService for better support NIO2. (remm) \+ Fix: 68495: When
restoring a saved POST request after a successful FORM authentication, ensure
that neither the URI, the query string nor the protocol are corrupted when
restoring the request body. (markt) \+ Fix: 68721: Workaround a possible cause
of duplicate class definitions when using ClassFileTransformers and the
transformation of a class also triggers the loading of the same class. (markt)
\+ Fix: The rewrite valve should not do a rewrite if the output is identical to
the input. (remm) \+ Update: Add a new valveSkip (or VS) rule flag to the
rewrite valve to allow skipping over the next valve in the Catalina pipeline.
(remm) \+ Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
removing reference to org.apache.catalina.ssi package that is no longer included
in the JAR. Based on pull request #684 by Jendrik Johannes. (markt) \+ Fix: Fix
ServiceBindingPropertySource so that trailing \r\n sequences are correctly
removed from files containing property values when configured to do so. Bug
identified by Coverity Scan. (markt) \+ Add: Add improvements to the CSRF
prevention filter including the ability to skip adding nonces for resource name
and subtree URL patterns. (schultz) \+ Fix: Review usage of debug logging and
downgrade trace or data dumping operations from debug level to trace. (remm) \+
Fix: 68089: Further improve the performance of request attribute access for
ApplicationHttpRequest and ApplicationRequest. (markt) \+ Fix: 68559: Allow
asynchronous error handling to write to the response after an error during
asynchronous processing. (markt) * Coyote \+ Fix: Improve the HTTP/2 stream
prioritisation process. If a stream uses all of the connection windows and still
has content to write, it will now be added to the backlog immediately rather
than waiting until the write attempt for the remaining content. (markt) \+ Fix:
Make asynchronous error handling more robust. Ensure that once a connection is
marked to be closed, further asynchronous processing cannot change that. (markt)
\+ Fix: Make asynchronous error handling more robust. Ensure that once the call
to AsyncListener.onError() has returned to the container, only container threads
can access the AsyncContext. This protects against various race conditions that
woudl otherwise occur if application threads continued to access the
AsyncContext. \+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of the HTTP/2
debug logging has been changed to trace level. (remm) \+ Fix: Add support for
user provided SSLContext instances configured on SSLHostConfigCertificate
instances. Based on pull request #673 provided by Hakan AltÄ±ndaÄ. (markt) \+
Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a
JVM crash during Tomcat shutdown. (markt) \+ Fix: Partial fix for 68558: Cache
the result of converting to String for request URI, HTTP header names and the
request Content-Type value to improve performance by reducing repeated byte[] to
String conversions. (markt) \+ Fix: Improve error reporting to HTTP/2 clients
for header processing errors by reporting problems at the end of the frame where
the error was detected rather than at the end of the headers. (markt) \+ Fix:
Remove the remaining reference to a stream once the stream has been recycled.
This makes the stream eligible for garbage collection earlier and thereby
improves scalability. (markt) * Jasper \+ Add: Add support for specifying Java
22 (with the value 22) as the compiler source and/or compiler target for JSP
compilation. If used with an Eclipse JDT compiler version that does not support
these values, a warning will be logged and the default will used. (markt) \+
Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested
by John Engebretson. (remm) \+ Fix: Review usage of debug logging and downgrade
trace or data dumping operations from debug level to trace. (remm) * Cluster \+
Fix: Avoid updating request count stats on async. (remm) * WebSocket \+ Fix:
Correct a regression in the fix for 66508 that could cause an UpgradeProcessor
leak in some circumstances. (markt) \+ Fix: Review usage of debug logging and
downgrade trace or data dumping operations from debug level to trace. (remm) \+
Fix: Ensure that WebSocket connection closure completes if the connection is
closed when the server side has used the proprietary suspend/resume feature to
suspend the connection. (markt) * Web applications \+ Add: Add support for
responses in JSON format from the examples application RequestHeaderExample.
(schultz) * Other \+ Add: Improvements to French translations. (remm) \+ Add:
Improvements to Japanese translations by tak7iji. (markt) \+ Update: Update
Checkstyle to 10.13.0. (markt) \+ Update: Update JSign to 6.0. (markt) \+
Update: Add strings for debug level messages. (remm) \+ Update: Update Tomcat
Native to 1.3.0. (markt) \+ Add: Improvements to French translations. (remm) \+
Add: Improvements to Japanese translations by tak7iji. (markt)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * openSUSE Leap 15.5  
    zypper in -t patch openSUSE-SLE-15.5-2024-1345=1

  * Development Tools Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-1345=1

  * SUSE Package Hub 15 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1345=1

  * SUSE Manager Server 4.3 Module 4.3  
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-1345=1

  * Web and Scripting Module 15-SP5  
    zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-1345=1

  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-1345=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-1345=1

  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-1345=1

  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4  
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-1345=1

  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-1345=1

  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-1345=1

  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-1345=1

  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4  
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-1345=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP2  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-1345=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP3  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-1345=1

  * SUSE Linux Enterprise Server for SAP Applications 15 SP4  
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-1345=1

  * SUSE Manager Server 4.3  
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-1345=1

  * SUSE Enterprise Storage 7.1  
    zypper in -t patch SUSE-Storage-7.1-2024-1345=1

## Package List:

  * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-jsvc-debuginfo-1.3.4-150200.11.14.1
    * apache-commons-daemon-jsvc-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * openSUSE Leap 15.5 (noarch)
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * geronimo-servlet-2_5-api-1.2-150200.15.8.1
    * geronimo-j2ee-1_4-apis-1.2-150200.15.8.1
    * geronimo-ws-metadata-2_0-api-1.2-150200.15.8.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * geronimo-j2ee-management-1_1-api-1.2-150200.15.8.1
    * geronimo-javamail-1_3_1-api-1.2-150200.15.8.1
    * geronimo-jsp-2_1-api-1.2-150200.15.8.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * geronimo-jaxr-1_0-api-1.2-150200.15.8.1
    * geronimo-jaxrpc-1_1-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-corba-1_0-apis-1.2-150200.15.8.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-docs-webapp-9.0.87-150200.65.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jacc-1_0-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * geronimo-j2ee-management-1_0-api-1.2-150200.15.8.1
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * geronimo-j2ee-deployment-1_1-api-1.2-150200.15.8.1
    * geronimo-saaj-1_1-api-1.2-150200.15.8.1
    * geronimo-javaee-deployment-1_1-api-1.2-150200.15.8.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-interceptor-3_0-api-1.2-150200.15.8.1
    * geronimo-jsp-2_0-api-1.2-150200.15.8.1
    * apache-commons-dbcp-javadoc-2.1.1-150200.10.8.1
    * geronimo-commonj-1_1-apis-1.2-150200.15.8.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-9.0.87-150200.65.1
    * geronimo-jta-1_0_1B-api-1.2-150200.15.8.1
    * geronimo-ejb-3_0-api-1.2-150200.15.8.1
    * geronimo-el-1_0-api-1.2-150200.15.8.1
    * geronimo-j2ee-connector-1_5-api-1.2-150200.15.8.1
    * tomcat-lib-9.0.87-150200.65.1
    * apache-commons-daemon-javadoc-1.3.4-150200.11.14.1
    * geronimo-corba-2_3-apis-1.2-150200.15.8.1
    * tomcat-javadoc-9.0.87-150200.65.1
    * geronimo-servlet-2_4-api-1.2-150200.15.8.1
    * geronimo-javamail-1_4-api-1.2-150200.15.8.1
    * geronimo-jaf-1_0_2-api-1.2-150200.15.8.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-pool2-javadoc-2.4.2-150200.11.8.1
    * geronimo-jaf-1_1-api-1.2-150200.15.8.1
    * geronimo-ejb-2_1-api-1.2-150200.15.8.1
    * tomcat-embed-9.0.87-150200.65.1
    * geronimo-jacc-1_1-api-1.2-150200.15.8.1
    * jakarta-taglibs-standard-javadoc-1.1.1-150000.4.10.1
    * tomcat-jsvc-9.0.87-150200.65.1
    * geronimo-qname-1_1-api-1.2-150200.15.8.1
    * geronimo-jpa-3_0-api-1.2-150200.15.8.1
  * Development Tools Module 15-SP5 (noarch)
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
  * SUSE Package Hub 15 15-SP5 (noarch)
    * geronimo-j2ee-connector-1_5-api-1.2-150200.15.8.1
    * geronimo-j2ee-1_4-apis-1.2-150200.15.8.1
    * geronimo-servlet-2_4-api-1.2-150200.15.8.1
    * geronimo-javamail-1_4-api-1.2-150200.15.8.1
    * geronimo-jsp-2_0-api-1.2-150200.15.8.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * geronimo-jaf-1_1-api-1.2-150200.15.8.1
  * SUSE Manager Server 4.3 Module 4.3 (noarch)
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
  * Web and Scripting Module 15-SP5 (aarch64 ppc64le s390x x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * Web and Scripting Module 15-SP5 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch)
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x
    x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Manager Server 4.3 (ppc64le s390x x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Manager Server 4.3 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1
  * SUSE Enterprise Storage 7.1 (aarch64 x86_64)
    * apache-commons-daemon-1.3.4-150200.11.14.1
    * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1
  * SUSE Enterprise Storage 7.1 (noarch)
    * apache-commons-pool2-2.4.2-150200.11.8.1
    * geronimo-annotation-1_0-api-1.2-150200.15.8.1
    * tomcat-jsp-2_3-api-9.0.87-150200.65.1
    * tomcat-lib-9.0.87-150200.65.1
    * jakarta-taglibs-standard-1.1.1-150000.4.10.1
    * tomcat-servlet-4_0-api-9.0.87-150200.65.1
    * tomcat-webapps-9.0.87-150200.65.1
    * geronimo-stax-1_0-api-1.2-150200.15.8.1
    * tomcat-admin-webapps-9.0.87-150200.65.1
    * geronimo-jta-1_1-api-1.2-150200.15.8.1
    * tomcat-el-3_0-api-9.0.87-150200.65.1
    * geronimo-jms-1_1-api-1.2-150200.15.8.1
    * apache-commons-dbcp-2.1.1-150200.10.8.1
    * tomcat-9.0.87-150200.65.1

## References:

  * https://www.suse.com/security/cve/CVE-2024-23672.html
  * https://www.suse.com/security/cve/CVE-2024-24549.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1221385
  * https://bugzilla.suse.com/show_bug.cgi?id=1221386

SUSE: 2024:1345-1 important: tomcat Security Advisory Updates

April 18, 2024

* bsc#1221385 * bsc#1221386 Cross-References: * CVE-2024-23672

Summary

## This update for tomcat fixes the following issues: * CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386) * CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385) Other fixes: \- Update to Tomcat 9.0.87 * Catalina \+ Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm) \+ Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt) \+ Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm) \+ Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt) \+ Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt) \+ Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm) \+ Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm) \+ Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt) \+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt) \+ Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz) \+ Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) \+ Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt) \+ Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt) * Coyote \+ Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt) \+ Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt) \+ Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext. \+ Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm) \+ Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan AltÄ±ndaÄ. (markt) \+ Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a JVM crash during Tomcat shutdown. (markt) \+ Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt) \+ Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt) \+ Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt) * Jasper \+ Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) \+ Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm) \+ Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) * Cluster \+ Fix: Avoid updating request count stats on async. (remm) * WebSocket \+ Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt) \+ Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) \+ Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt) * Web applications \+ Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz) * Other \+ Add: Improvements to French translations. (remm) \+ Add: Improvements to Japanese translations by tak7iji. (markt) \+ Update: Update Checkstyle to 10.13.0. (markt) \+ Update: Update JSign to 6.0. (markt) \+ Update: Add strings for debug level messages. (remm) \+ Update: Update Tomcat Native to 1.3.0. (markt) \+ Add: Improvements to French translations. (remm) \+ Add: Improvements to Japanese translations by tak7iji. (markt) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-1345=1 * Development Tools Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP5-2024-1345=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-1345=1 * SUSE Manager Server 4.3 Module 4.3 zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-1345=1 * Web and Scripting Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2024-1345=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-1345=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-1345=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-1345=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-1345=1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-1345=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-1345=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-1345=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-1345=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-1345=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-1345=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2024-1345=1 * SUSE Manager Server 4.3 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-1345=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-1345=1 ## Package List: * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-jsvc-debuginfo-1.3.4-150200.11.14.1 * apache-commons-daemon-jsvc-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * openSUSE Leap 15.5 (noarch) * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * geronimo-servlet-2_5-api-1.2-150200.15.8.1 * geronimo-j2ee-1_4-apis-1.2-150200.15.8.1 * geronimo-ws-metadata-2_0-api-1.2-150200.15.8.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * geronimo-j2ee-management-1_1-api-1.2-150200.15.8.1 * geronimo-javamail-1_3_1-api-1.2-150200.15.8.1 * geronimo-jsp-2_1-api-1.2-150200.15.8.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * geronimo-jaxr-1_0-api-1.2-150200.15.8.1 * geronimo-jaxrpc-1_1-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-corba-1_0-apis-1.2-150200.15.8.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-docs-webapp-9.0.87-150200.65.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jacc-1_0-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * geronimo-j2ee-management-1_0-api-1.2-150200.15.8.1 * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * geronimo-j2ee-deployment-1_1-api-1.2-150200.15.8.1 * geronimo-saaj-1_1-api-1.2-150200.15.8.1 * geronimo-javaee-deployment-1_1-api-1.2-150200.15.8.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-interceptor-3_0-api-1.2-150200.15.8.1 * geronimo-jsp-2_0-api-1.2-150200.15.8.1 * apache-commons-dbcp-javadoc-2.1.1-150200.10.8.1 * geronimo-commonj-1_1-apis-1.2-150200.15.8.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-9.0.87-150200.65.1 * geronimo-jta-1_0_1B-api-1.2-150200.15.8.1 * geronimo-ejb-3_0-api-1.2-150200.15.8.1 * geronimo-el-1_0-api-1.2-150200.15.8.1 * geronimo-j2ee-connector-1_5-api-1.2-150200.15.8.1 * tomcat-lib-9.0.87-150200.65.1 * apache-commons-daemon-javadoc-1.3.4-150200.11.14.1 * geronimo-corba-2_3-apis-1.2-150200.15.8.1 * tomcat-javadoc-9.0.87-150200.65.1 * geronimo-servlet-2_4-api-1.2-150200.15.8.1 * geronimo-javamail-1_4-api-1.2-150200.15.8.1 * geronimo-jaf-1_0_2-api-1.2-150200.15.8.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-pool2-javadoc-2.4.2-150200.11.8.1 * geronimo-jaf-1_1-api-1.2-150200.15.8.1 * geronimo-ejb-2_1-api-1.2-150200.15.8.1 * tomcat-embed-9.0.87-150200.65.1 * geronimo-jacc-1_1-api-1.2-150200.15.8.1 * jakarta-taglibs-standard-javadoc-1.1.1-150000.4.10.1 * tomcat-jsvc-9.0.87-150200.65.1 * geronimo-qname-1_1-api-1.2-150200.15.8.1 * geronimo-jpa-3_0-api-1.2-150200.15.8.1 * Development Tools Module 15-SP5 (noarch) * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * SUSE Package Hub 15 15-SP5 (noarch) * geronimo-j2ee-connector-1_5-api-1.2-150200.15.8.1 * geronimo-j2ee-1_4-apis-1.2-150200.15.8.1 * geronimo-servlet-2_4-api-1.2-150200.15.8.1 * geronimo-javamail-1_4-api-1.2-150200.15.8.1 * geronimo-jsp-2_0-api-1.2-150200.15.8.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * geronimo-jaf-1_1-api-1.2-150200.15.8.1 * SUSE Manager Server 4.3 Module 4.3 (noarch) * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * Web and Scripting Module 15-SP5 (aarch64 ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * Web and Scripting Module 15-SP5 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (noarch) * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Manager Server 4.3 (ppc64le s390x x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Manager Server 4.3 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * apache-commons-daemon-1.3.4-150200.11.14.1 * apache-commons-daemon-debugsource-1.3.4-150200.11.14.1 * SUSE Enterprise Storage 7.1 (noarch) * apache-commons-pool2-2.4.2-150200.11.8.1 * geronimo-annotation-1_0-api-1.2-150200.15.8.1 * tomcat-jsp-2_3-api-9.0.87-150200.65.1 * tomcat-lib-9.0.87-150200.65.1 * jakarta-taglibs-standard-1.1.1-150000.4.10.1 * tomcat-servlet-4_0-api-9.0.87-150200.65.1 * tomcat-webapps-9.0.87-150200.65.1 * geronimo-stax-1_0-api-1.2-150200.15.8.1 * tomcat-admin-webapps-9.0.87-150200.65.1 * geronimo-jta-1_1-api-1.2-150200.15.8.1 * tomcat-el-3_0-api-9.0.87-150200.65.1 * geronimo-jms-1_1-api-1.2-150200.15.8.1 * apache-commons-dbcp-2.1.1-150200.10.8.1 * tomcat-9.0.87-150200.65.1

References

* bsc#1221385

* bsc#1221386

Cross-

* CVE-2024-23672

* CVE-2024-24549

CVSS scores:

* CVE-2024-23672 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

* CVE-2024-24549 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:

* Development Tools Module 15-SP5

* openSUSE Leap 15.5

* SUSE Enterprise Storage 7.1

* SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Desktop 15 SP5

* SUSE Linux Enterprise High Performance Computing 15 SP2

* SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise High Performance Computing 15 SP3

* SUSE Linux Enterprise High Performance Computing 15 SP4

* SUSE Linux Enterprise High Performance Computing 15 SP5

* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3

* SUSE Linux Enterprise High Performance Computing LTSS 15 SP4

* SUSE Linux Enterprise Micro 5.5

* SUSE Linux Enterprise Real Time 15 SP5

* SUSE Linux Enterprise Server 15 SP2

* SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2

* SUSE Linux Enterprise Server 15 SP3

* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3

* SUSE Linux Enterprise Server 15 SP4

* SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4

* SUSE Linux Enterprise Server 15 SP5

* SUSE Linux Enterprise Server for SAP Applications 15 SP2

* SUSE Linux Enterprise Server for SAP Applications 15 SP3

* SUSE Linux Enterprise Server for SAP Applications 15 SP4

* SUSE Linux Enterprise Server for SAP Applications 15 SP5

* SUSE Manager Server 4.3

* SUSE Manager Server 4.3 Module 4.3

* SUSE Package Hub 15 15-SP5

* Web and Scripting Module 15-SP5

An update that solves two vulnerabilities can now be installed.

* https://www.suse.com/security/cve/CVE-2024-23672.html

* https://www.suse.com/security/cve/CVE-2024-24549.html

* https://bugzilla.suse.com/show_bug.cgi?id=1221385

* https://bugzilla.suse.com/show_bug.cgi?id=1221386

Severity

Announcement ID: SUSE-SU-2024:1345-1

Rating: important

SUSE: 2024:1345-1 important: tomcat Security Advisory Updates

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By