Bug 2215345

Summary: Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan.
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: SecurityAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED CURRENTRELEASE QA Contact: Satellite QE Team <sat-qe-bz-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.13.0CC: ahumbe, arsingh, csutherl, dhjoshi, ehelms, gcovolo, gpayelka, jbhatia, jpasqual, jstormshak, kyoshida, lucious.a.daniels, mhulan, mkalyat, pdudley, pwaghmar, qpham, rlavi, sadas, vepatil, zjones
Target Milestone: UnspecifiedKeywords: PrioBumpGSS, Security, Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-05-28 12:29:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184135, 2217018    
Bug Blocks:    

Description Sayan Das 2023-06-15 15:36:35 UTC 
Description of problem:

Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

# rpm -qf `which tomcat`
pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch

# tomcat version
Server version: Apache Tomcat/9.0.50
Server built:   Jun 24 2022 20:49:41 UTC
Server number:  9.0.50.0
OS Name:        Linux
OS Version:     4.18.0-425.3.1.el8.x86_64
Architecture:   amd64
JVM Version:    11.0.19+7-LTS
JVM Vendor:     Red Hat, Inc.


When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

CVE-2021-42340
CVE-2022-29885
CVE-2022-34305
CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
CVE-2023-24998
CVE-2021-43980
CVE-2023-28708
CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5.  To mark these VA scans fixed\resolved, The version of Tomcat needs to be  >= 9.0.68 . 


Version-Release number of selected component (if applicable):

Red Hat Satellite 6.11
Red Hat Satellite 6.12
Red Hat Satellite 6.13
pki-servlet-engine ( tomcat ) 9.0.50.0


How reproducible:

Always 

Steps to Reproduce:
1. Install any of the above-mentioned versions of the satellite.
2. Run a VA scan using Nessus or Qualys


Actual results:

As explained in the Description.


Expected results:

Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed. 

A very good example is :

Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
https://access.redhat.com/solutions/6996506


Additional info:

NA
Comment 2 Eric Helms 2023-07-14 12:59:02 UTC 
This will be addressed in RHEL -- https://bugzilla.redhat.com/show_bug.cgi?id=2217018

Additionally, the newer Tomcat package will be swapped over to seamlessly -- https://bugzilla.redhat.com/show_bug.cgi?id=2184135
Comment 4 Brad Buckingham 2023-10-30 11:29:29 UTC 
Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set.
Comment 15 Eric Helms 2024-05-20 12:15:41 UTC 
The pki-servlet-engine dependency comes from RHEL, and RHEL has chosen to stop updating pki-servlet-engine and switch to using the tomcat package. The changes will arrive in RHEL 8.10 to switch to using the tomcat package which will continue to be supported per RHEL's support policy and for the CVEs in question has fixes already released.
Comment 16 Eric Helms 2024-05-28 12:29:01 UTC 
This is fixed in RHEL 8.10 for all versions of Satellite.