Bug 2215345 - Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs as reported by Nessus and Qualys VA scan.
Summary: Tomcat version shipped with Satellite 6.11\12\13 are susceptable to many CVEs...
Keywords:
Status: ASSIGNED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Packaging
Version: 6.13.0
Hardware: All
OS: Linux
high
high
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On: 2184135 2217018
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-15 15:36 UTC by Sayan Das
Modified: 2023-08-17 00:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SAT-18211 0 None None None 2023-06-16 10:02:26 UTC
Red Hat Issue Tracker SAT-18452 0 None None None 2023-06-16 10:03:51 UTC
Red Hat Knowledge Base (Solution) 6871231 0 None None None 2023-06-15 15:37:42 UTC
Red Hat Knowledge Base (Solution) 6996506 0 None None None 2023-06-15 15:37:42 UTC
Red Hat Knowledge Base (Solution) 6999616 0 None None None 2023-06-15 15:37:42 UTC

Description Sayan Das 2023-06-15 15:36:35 UTC 
Description of problem:

Tomcat version shipped with Satellite 6.11\12\13 is susceptable to many CVEs as reported by Nessus and Qualys VA scan.

Satellite 6.11\12\13 runs on RHEL 8. The tomcat component is provided by pki-servlet-engine package and the version is 9.0.50.0

# rpm -qf `which tomcat`
pki-servlet-engine-9.0.50-1.module+el8.7.0+15761+f86c9a56.noarch

# tomcat version
Server version: Apache Tomcat/9.0.50
Server built:   Jun 24 2022 20:49:41 UTC
Server number:  9.0.50.0
OS Name:        Linux
OS Version:     4.18.0-425.3.1.el8.x86_64
Architecture:   amd64
JVM Version:    11.0.19+7-LTS
JVM Vendor:     Red Hat, Inc.


When Nessus or Qualys VA scan is being done on the mentioned versions of satellite, The following list of CVE's are reported as affected.

CVE-2021-42340
CVE-2022-29885
CVE-2022-34305
CVE-2022-42252 ( https://access.redhat.com/solutions/6996506 )
CVE-2022-45143 ( https://access.redhat.com/solutions/6999616 )
CVE-2023-24998
CVE-2021-43980
CVE-2023-28708
CVE-2022-22965 ( https://access.redhat.com/solutions/6871231 )

For some of them, we may have an explanation but for the majority, we don't. RHEL 8.8 ships tomcat binary via tomcat package directly but even that is of version 9.0.62-5.  To mark these VA scans fixed\resolved, The version of Tomcat needs to be  >= 9.0.68 . 


Version-Release number of selected component (if applicable):

Red Hat Satellite 6.11
Red Hat Satellite 6.12
Red Hat Satellite 6.13
pki-servlet-engine ( tomcat ) 9.0.50.0


How reproducible:

Always 

Steps to Reproduce:
1. Install any of the above-mentioned versions of the satellite.
2. Run a VA scan using Nessus or Qualys


Actual results:

As explained in the Description.


Expected results:

Either user should not see that many vulnerabilities reported or RedHat should have proper justification for each of these CVEs explaining why RH Satellite as a product is not affected even if it has the vulnerable version of Tomcat installed. 

A very good example is :

Is Red Hat Satellite 6 functionality impacted by the Request Smuggling Vulnerability CVE-2022-42252? - Red Hat Customer Portal
https://access.redhat.com/solutions/6996506


Additional info:

NA
Comment 2 Eric Helms 2023-07-14 12:59:02 UTC 
This will be addressed in RHEL -- https://bugzilla.redhat.com/show_bug.cgi?id=2217018

Additionally, the newer Tomcat package will be swapped over to seamlessly -- https://bugzilla.redhat.com/show_bug.cgi?id=2184135
Note You need to log in before you can comment on or make changes to this bug.