Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2215345 - Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan.
Summary: Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Security
Version: 6.13.0
Hardware: All
OS: Linux
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On: 2184135 2217018
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-15 15:36 UTC by Sayan Das
Modified: 2024-06-07 19:46 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-05-28 12:29:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHEL-6971 0 None None None 2023-10-10 12:33:51 UTC
Red Hat Issue Tracker SAT-18211 0 None None None 2023-06-16 10:02:26 UTC
Red Hat Issue Tracker SAT-18452 0 None None None 2023-06-16 10:03:51 UTC
Red Hat Knowledge Base (Solution) 6871231 0 None None None 2023-06-15 15:37:42 UTC
Red Hat Knowledge Base (Solution) 6996506 0 None None None 2023-06-15 15:37:42 UTC
Red Hat Knowledge Base (Solution) 6999616 0 None None None 2023-06-15 15:37:42 UTC
Red Hat Knowledge Base (Solution) 7045833 0 None None None 2024-01-11 13:41:23 UTC

Description Sayan Das 2023-06-15 15:36:35 UTC 
Description of problem:

Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

# rpm -qf `which tomcat`
pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch

# tomcat version
Server version: Apache Tomcat/9.0.50
Server built:   Jun 24 2022 20:49:41 UTC
Server number:  9.0.50.0
OS Name:        Linux
OS Version:     4.18.0-425.3.1.el8.x86_64
Architecture:   amd64
JVM Version:    11.0.19+7-LTS
JVM Vendor:     Red Hat, Inc.


When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

CVE-2021-42340
CVE-2022-29885
CVE-2022-34305
CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
CVE-2023-24998
CVE-2021-43980
CVE-2023-28708
CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5.  To mark these VA scans fixed\resolved, The version of Tomcat needs to be  >= 9.0.68 . 


Version-Release number of selected component (if applicable):

Red Hat Satellite 6.11
Red Hat Satellite 6.12
Red Hat Satellite 6.13
pki-servlet-engine ( tomcat ) 9.0.50.0


How reproducible:

Always 

Steps to Reproduce:
1. Install any of the above-mentioned versions of the satellite.
2. Run a VA scan using Nessus or Qualys


Actual results:

As explained in the Description.


Expected results:

Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed. 

A very good example is :

Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
https://access.redhat.com/solutions/6996506


Additional info:

NA
Comment 2 Eric Helms 2023-07-14 12:59:02 UTC 
This will be addressed in RHEL -- https://bugzilla.redhat.com/show_bug.cgi?id=2217018

Additionally, the newer Tomcat package will be swapped over to seamlessly -- https://bugzilla.redhat.com/show_bug.cgi?id=2184135
Comment 4 Brad Buckingham 2023-10-30 11:29:29 UTC 
Bulk setting Target Milestone = 6.15.0 where sat-6.15.0+ is set.
Comment 15 Eric Helms 2024-05-20 12:15:41 UTC 
The pki-servlet-engine dependency comes from RHEL, and RHEL has chosen to stop updating pki-servlet-engine and switch to using the tomcat package. The changes will arrive in RHEL 8.10 to switch to using the tomcat package which will continue to be supported per RHEL's support policy and for the CVEs in question has fixes already released.
Comment 16 Eric Helms 2024-05-28 12:29:01 UTC 
This is fixed in RHEL 8.10 for all versions of Satellite.
Note You need to log in before you can comment on or make changes to this bug.