The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue. Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4 Tomcat 9.0: https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453 Tomcat 8.5: https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35 Tomcat 7.0: https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5 Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E
External References: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108
Statement: In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the `pki-servlet-engine` component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of `pki-servlet-engine` outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2021:2562 https://access.redhat.com/errata/RHSA-2021:2562
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.5 on RHEL 7 Red Hat JBoss Web Server 5.5 on RHEL 8 Via RHSA-2021:2561 https://access.redhat.com/errata/RHSA-2021:2561
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25329
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.3.10 Via RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532