Bug 2215345

Summary: Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan.
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: PackagingAssignee: Eric Helms <ehelms>
Status: ASSIGNED --- QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.13.0CC: ahumbe, csutherl, ehelms, kyoshida, mhulan, rlavi
Target Milestone: UnspecifiedKeywords: PrioBumpGSS, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184135, 2217018    
Bug Blocks:    

Description Sayan Das 2023-06-15 15:36:35 UTC 
Description of problem:

Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

# rpm -qf `which tomcat`
pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch

# tomcat version
Server version: Apache Tomcat/9.0.50
Server built:   Jun 24 2022 20:49:41 UTC
Server number:  9.0.50.0
OS Name:        Linux
OS Version:     4.18.0-425.3.1.el8.x86_64
Architecture:   amd64
JVM Version:    11.0.19+7-LTS
JVM Vendor:     Red Hat, Inc.


When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

CVE-2021-42340
CVE-2022-29885
CVE-2022-34305
CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
CVE-2023-24998
CVE-2021-43980
CVE-2023-28708
CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5.  To mark these VA scans fixed\resolved, The version of Tomcat needs to be  >= 9.0.68 . 


Version-Release number of selected component (if applicable):

Red Hat Satellite 6.11
Red Hat Satellite 6.12
Red Hat Satellite 6.13
pki-servlet-engine ( tomcat ) 9.0.50.0


How reproducible:

Always 

Steps to Reproduce:
1. Install any of the above-mentioned versions of the satellite.
2. Run a VA scan using Nessus or Qualys


Actual results:

As explained in the Description.


Expected results:

Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed. 

A very good example is :

Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
https://access.redhat.com/solutions/6996506


Additional info:

NA
Comment 2 Eric Helms 2023-07-14 12:59:02 UTC 
This will be addressed in RHEL -- https://bugzilla.redhat.com/show_bug.cgi?id=2217018

Additionally, the newer Tomcat package will be swapped over to seamlessly -- https://bugzilla.redhat.com/show_bug.cgi?id=2184135