Uploaded image for project: 'Satellite'
  1. Satellite
  2. SAT-18452

Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan.

XMLWordPrintable

    • Important
    • None

      Description of problem:

      Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

      Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

      1. rpm -qf `which tomcat`
        pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch
      1. tomcat version
        Server version: Apache Tomcat/9.0.50
        Server built: Jun 24 2022 20:49:41 UTC
        Server number: 9.0.50.0
        OS Name: Linux
        OS Version: 4.18.0-425.3.1.el8.x86_64
        Architecture: amd64
        JVM Version: 11.0.19+7-LTS
        JVM Vendor: Red Hat, Inc.

      When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

      CVE-2021-42340
      CVE-2022-29885
      CVE-2022-34305
      CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
      CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
      CVE-2023-24998
      CVE-2021-43980
      CVE-2023-28708
      CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

      For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5. To mark these VA scans fixed\resolved, The version of Tomcat needs to be >= 9.0.68 .

      Version-Release number of selected component (if applicable):

      Red Hat Satellite 6.11
      Red Hat Satellite 6.12
      Red Hat Satellite 6.13
      pki-servlet-engine ( tomcat ) 9.0.50.0

      How reproducible:

      Always

      Steps to Reproduce:
      1. Install any of the above-mentioned versions of the satellite.
      2. Run a VA scan using Nessus or Qualys

      Actual results:

      As explained in the Description.

      Expected results:

      Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed.

      A very good example is :

      Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
      https://access.redhat.com/solutions/6996506

      Additional info:

      NA

              jira-bugzilla-migration RH Bugzilla Integration
              jira-bugzilla-migration RH Bugzilla Integration
              RH Bugzilla Integration RH Bugzilla Integration
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: