Chris, thanks for your comprehensive explanation about these various mitigation measures.
Best regards, Peyton Zhong From: Christopher Schultz <ch...@christopherschultz.net> Date: Sunday, 7 July 2024 at 1:23 AM To: users@tomcat.apache.org <users@tomcat.apache.org> Subject: Re: Inquiry about CVE-2024-5535 Vulnerability in Tomcat 10.1.20 Version [You don't often get email from ch...@christopherschultz.net. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Peyton, On 7/6/24 00:08, Zhong, Peyton wrote: > I am writing to inquire about the potential impact of the recently detected > critical vulnerability: > CVE-2024-5535<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2024-5535&data=05%7C02%7Cpeyton.zhong%40sap.com%7Cd52dfda70a32428d420c08dc9de04795%7C42f7676cf455423c82f6dc2d99791af7%7C0%7C0%7C638558833800919246%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=6Wwd5RGauL%2Bp%2F13uVp5vq6thlZRHKhg39qsoLm6cnSc%3D&reserved=0<https://nvd.nist.gov/vuln/detail/CVE-2024-5535>> > (9.1 CRITICAL / CVSS v3), in OpenSSL 3.0.13 on the Tomcat 10.1.20 version. > According to Black Duck Binary Analysis (BDBA) scans, this vulnerability has > been identified within the Tomcat 10.1.20 version. There are other detected > vulnerabilities inside OpenSSL on Tomcat, such as CVE-2024-4603, > CVE-2024-2511. > > The detected file is: apache-tomcat-10.1.20/bin/tcnative-2.dll > > Given this disconcerting discovery, we are seeking clarification on how > CVE-2024-5535 may affect the Tomcat 10.1.20 version. It is of utmost > importance for us to understand the implications of this vulnerability and to > identify any available mitigations or patches to address this issue. > > Your prompt attention to this matter is highly valued, and we would be > grateful for any assistance or guidance you can provide to help us navigate > this potential security concern. > > Thank you for your time and consideration. Official Tomcat distributions from ASF ship with a statically-linked OpenSSL DLL for Windows. Those DLLs come from the Tomcat-Native project. Each release of Tomcat Native includes the most-recent version of OpenSSL at the time of its release. Often, Tomcat Native releases are tied to important OpenSSL releases for this reason (convenience statically-linked binary for Windows). You can upgrade (almost) any Tomcat installation with (almost) any newer version of Tomcat Native you wish. It would probably be better to simply upgrade Tomcat itself which will include the latest version of Tomcat Native at the time of release. It seems there is a new OpenSSL release 3.0.14 while Tomcats and Tomcat Natives after ~Feb 2024 include OpenSSL 3.0.13. If you are not using Windows, then you can safely remove this file. If you are not using TLS, you can most likely safely remove this file. If you are not using Tomcat Native, then you can safely remove tcnative-2.dll from your environment. If you are not sure if tcnative is being used in your environment, you should find someone who is sure. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
