CVE-2021-25329
Incomplete Fix vulnerability in org.apache.tomcat.embed:tomcat-embed-core
What is CVE-2021-25329 About?
This vulnerability is an incomplete fix for a previous issue (CVE-2020-9484) in Apache Tomcat, specifically affecting certain versions under rare configuration edge cases. It allows for similar impacts as the original vulnerability, potentially leading to security bypasses. Exploitation requires specific, highly unlikely configurations to be present, making it difficult to exploit.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.41
- >10.0.0-M1, <10.0.2
- >8.0.0, <8.5.61
- >7.0.0, <7.0.108
Technical Details
The vulnerability arises from an incomplete patch for CVE-2020-9484. When Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, or 7.0.0 to 7.0.107 are configured with a highly unlikely edge case, the system remains vulnerable to the issues addressed by CVE-2020-9494. This means that if the specific prerequisites and environmental conditions that previously enabled exploitation of CVE-2020-9484 are met, and the system is running the indicated Tomcat versions with the unusual configuration, the security bypass or information disclosure could still occur. The exact mechanism of bypass would depend on the nature of CVE-2020-9494.
What is the Impact of CVE-2021-25329?
Successful exploitation may allow attackers to bypass security restrictions or access sensitive information that should otherwise be protected, potentially leading to unauthorized operations or data exposure.
What is the Exploitability of CVE-2021-25329?
Exploitation of this vulnerability is considered difficult due to its specific prerequisites and highly unlikely configuration edge case. Attackers would need to identify a target system running specific Apache Tomcat versions and configured in a very particular, uncommon way. There are no explicit authentication or privilege requirements mentioned, suggesting it could potentially be a remote issue under the right conditions. However, the rarity of the configuration acts as a significant constraint, reducing the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25329?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.108 → Upgrade to 7.0.108
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.61 → Upgrade to 8.5.61
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.41 → Upgrade to 9.0.41
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0-M1, <10.0.2 → Upgrade to 10.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/apache/tomcat
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E
- https://www.debian.org/security/2021/dsa-4891
- https://security.netapp.com/advisory/ntap-20210409-0002
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2021-25329
- https://www.oracle.com//security-alerts/cpujul2021.html
What are Similar Vulnerabilities to CVE-2021-25329?
Similar Vulnerabilities: CVE-2020-9484 , CVE-2020-9494 , CVE-2019-0232 , CVE-2018-8037 , CVE-2017-12617
