Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 6.13.0
Component/s: Security
Labels:

Story Points:
0
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
BZ Flags:
BZ Status:
CLOSED
Bugzilla Bug:
RHBZ: 2215345
PM Score:
31,100
Satellite Team:

Platform
BZ Keywords:
Intelligence Requested:
Market:

Severity:
Important

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Priority Data:
PX Impact Score:

Description of problem:

Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

rpm -qf `which tomcat`
pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch

tomcat version
Server version: Apache Tomcat/9.0.50
Server built: Jun 24 2022 20:49:41 UTC
Server number: 9.0.50.0
OS Name: Linux
OS Version: 4.18.0-425.3.1.el8.x86_64
Architecture: amd64
JVM Version: 11.0.19+7-LTS
JVM Vendor: Red Hat, Inc.

When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

CVE-2021-42340
CVE-2022-29885
CVE-2022-34305
CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
CVE-2023-24998
CVE-2021-43980
CVE-2023-28708
CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5. To mark these VA scans fixed\resolved, The version of Tomcat needs to be >= 9.0.68 .

Version-Release number of selected component (if applicable):

Red Hat Satellite 6.11
Red Hat Satellite 6.12
Red Hat Satellite 6.13
pki-servlet-engine ( tomcat ) 9.0.50.0

How reproducible:

Always

Steps to Reproduce:
1. Install any of the above-mentioned versions of the satellite.
2. Run a VA scan using Nessus or Qualys

Actual results:

As explained in the Description.

Expected results:

Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed.

A very good example is :

Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
https://access.redhat.com/solutions/6996506

Additional info:

NA

is blocked by

RHEL-6971 Add Obsoletes to tomcat package

Closed

is related to

SAT-22888 Package candlepin can not be installed due to an unmet dependency on pki-servlet-engine

Closed

external trackers

Red Hat Customer Portal 03419071

Red Hat Customer Portal 03427153

Red Hat Customer Portal 03488594

Red Hat Customer Portal 03489112

Red Hat Customer Portal 03489747

Red Hat Customer Portal 03490881

Red Hat Customer Portal 03495302

Red Hat Customer Portal 03502849

Red Hat Customer Portal 03506306

Red Hat Customer Portal 03508884

Red Hat Customer Portal 03513106

Red Hat Customer Portal 03513372

Red Hat Customer Portal 03513642

Red Hat Customer Portal 03514668

Red Hat Customer Portal 03515326

Red Hat Customer Portal 03517474

Red Hat Customer Portal 03519618

Red Hat Customer Portal 03521520

Red Hat Customer Portal 03522328

Red Hat Customer Portal 03524639

Red Hat Customer Portal 03526780

Red Hat Customer Portal 03531248

Red Hat Customer Portal 03532673

Red Hat Customer Portal 03537418

Red Hat Customer Portal 03545540

Red Hat Customer Portal 03550342

Red Hat Customer Portal 03559836

Red Hat Customer Portal 03573690

Red Hat Customer Portal 03579542

Red Hat Customer Portal 03582850

Red Hat Customer Portal 03585631

Red Hat Customer Portal 03591660

Red Hat Customer Portal 03601430

Red Hat Customer Portal 03620865

Red Hat Customer Portal 03621026

Red Hat Customer Portal 03628656

Red Hat Customer Portal 03643217

Red Hat Customer Portal 03645317

Red Hat Customer Portal 03658051

Red Hat Customer Portal 03664740

Red Hat Customer Portal 03668254

Red Hat Customer Portal 03670584

Red Hat Customer Portal 03683775

Red Hat Customer Portal 03684980

Red Hat Customer Portal 03685491

Red Hat Customer Portal 03687272

Red Hat Customer Portal 03688032

Red Hat Customer Portal 03688360

Red Hat Customer Portal 03689073

Red Hat Customer Portal 03689704

Red Hat Customer Portal 03696633

Red Hat Customer Portal 03697765

Red Hat Customer Portal 03703350

Red Hat Customer Portal 03709802

Red Hat Customer Portal 03711870

Red Hat Customer Portal 03715097

Red Hat Customer Portal 03715385

Red Hat Customer Portal 03716729

Red Hat Customer Portal 03717062

Red Hat Customer Portal 03719322

Red Hat Customer Portal 03719486

Red Hat Customer Portal 03720265

Red Hat Customer Portal 03723669

Red Hat Customer Portal 03726561

Red Hat Customer Portal 03731277

Red Hat Customer Portal 03731857

Red Hat Customer Portal 03732567

Red Hat Customer Portal 03734356

Red Hat Customer Portal 03736023

Red Hat Customer Portal 03738907

Red Hat Customer Portal 03738914

Red Hat Customer Portal 03740214

Red Hat Customer Portal 03741511

Red Hat Customer Portal 03744089

Red Hat Customer Portal 03745816

Red Hat Customer Portal 03750742

Red Hat Customer Portal 03750839

Red Hat Customer Portal 03750881

Red Hat Customer Portal 03754599

Red Hat Customer Portal 03755673

Red Hat Customer Portal 03757330

Red Hat Customer Portal 03762955

Red Hat Customer Portal 03767711

Red Hat Customer Portal 03768199

Red Hat Customer Portal 03773795

Red Hat Customer Portal 03777507

Red Hat Customer Portal 03782707

Red Hat Customer Portal 03784189

Red Hat Customer Portal 03784720

Red Hat Customer Portal 03787279

Red Hat Customer Portal 03787909

Red Hat Customer Portal 03788788

Red Hat Customer Portal 03790385

Red Hat Customer Portal 03792072

Red Hat Customer Portal 03792560

Red Hat Customer Portal 03796660

Red Hat Customer Portal 03805244

Red Hat Customer Portal 03806402

Red Hat Customer Portal 03808443

Red Hat Customer Portal 03810972

Red Hat Customer Portal 03822466

Red Hat Customer Portal 03838569

Red Hat Issue Tracker RHEL-6971

Red Hat Issue Tracker SAT-18211

Red Hat Knowledge Base (Solution) 6871231

Red Hat Knowledge Base (Solution) 6996506

Red Hat Knowledge Base (Solution) 6999616

Red Hat Knowledge Base (Solution) 7045833

(105 external trackers)

Assignee:: RH Bugzilla Integration

Reporter:: RH Bugzilla Integration

QA Contact:: RH Bugzilla Integration

Votes:: 3 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/06/16 10:03 AM

Updated:: 2024/07/01 7:44 PM