| Name | CVE-2021-30640 |
| Description | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2733-1, DSA-4952-1, ELA-475-1, ELA-735-1 |
| Debian Bugs | 991046 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u5 | fixed |
| stretch | 7.0.75-1 | vulnerable | |
| tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u27 | fixed |
| stretch (security) | 8.5.54-0+deb9u8 | fixed | |
| stretch (lts), stretch | 8.5.54-0+deb9u15 | fixed | |
| tomcat9 (PTS) | buster | 9.0.31-1~deb10u6 | fixed |
| buster (security) | 9.0.31-1~deb10u12 | fixed | |
| bullseye | 9.0.43-2~deb11u9 | fixed | |
| bullseye (security) | 9.0.43-2~deb11u10 | fixed | |
| sid, trixie, bookworm | 9.0.70-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat7 | source | jessie | 7.0.56-3+really7.0.109-1+deb8u1 | ELA-735-1 | ||
| tomcat7 | source | stretch | (unfixed) | end-of-life | ||
| tomcat7 | source | (unstable) | (unfixed) | |||
| tomcat8 | source | jessie | 8.0.14-1+deb8u22 | ELA-475-1 | ||
| tomcat8 | source | stretch | 8.5.54-0+deb9u7 | DLA-2733-1 | ||
| tomcat8 | source | (unstable) | (unfixed) | |||
| tomcat9 | source | buster | 9.0.31-1~deb10u6 | |||
| tomcat9 | source | bullseye | 9.0.43-2~deb11u1 | |||
| tomcat9 | source | (unstable) | 9.0.43-2 | 991046 |
https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46)
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46)
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46)
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46)
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46)
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46)
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46)
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46)
https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c (8.5.66)
https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100 (8.5.66)
https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822 (8.5.66)
https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe (8.5.66)
https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b (8.5.66)
https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972 (8.5.66)
https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38 (8.5.66)
https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375 (8.5.66)
Fix for CVE-2021-30640 introduced a regression:
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
<fix-pending> There is also a regression identified in the main security tracker that should be fixed in next update
The SSL certificates used by the unit tests have expired and must be refreshed