CVE-2021-30640

NameCVE-2021-30640
DescriptionA vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2733-1, DSA-4952-1, ELA-475-1, ELA-735-1
Debian Bugs991046

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)jessie, jessie (lts)7.0.56-3+really7.0.109-1+deb8u6fixed
stretch7.0.75-1vulnerable
tomcat8 (PTS)jessie, jessie (lts)8.0.14-1+deb8u28fixed
stretch (security)8.5.54-0+deb9u8fixed
stretch (lts), stretch8.5.54-0+deb9u15fixed
tomcat9 (PTS)buster (security), buster, buster (lts)9.0.31-1~deb10u12fixed
bullseye (security), bullseye9.0.43-2~deb11u10fixed
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat7sourcejessie7.0.56-3+really7.0.109-1+deb8u1ELA-735-1
tomcat7sourcestretch(unfixed)end-of-life
tomcat7source(unstable)(unfixed)
tomcat8sourcejessie8.0.14-1+deb8u22ELA-475-1
tomcat8sourcestretch8.5.54-0+deb9u7DLA-2733-1
tomcat8source(unstable)(unfixed)
tomcat9sourcebuster9.0.31-1~deb10u6
tomcat9sourcebullseye9.0.43-2~deb11u1
tomcat9source(unstable)9.0.43-2991046

Notes

https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb (9.0.46)
https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434 (9.0.46)
https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e (9.0.46)
https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56 (9.0.46)
https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862 (9.0.46)
https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43 (9.0.46)
https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0 (9.0.46)
https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945 (9.0.46)
https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c (8.5.66)
https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100 (8.5.66)
https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822 (8.5.66)
https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe (8.5.66)
https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b (8.5.66)
https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972 (8.5.66)
https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38 (8.5.66)
https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375 (8.5.66)
Fix for CVE-2021-30640 introduced a regression:
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
<fix-pending> There is also a regression identified in the main security tracker that should be fixed in next update
The SSL certificates used by the unit tests have expired and must be refreshed

Search for package or bug name: Reporting problems