QID 356270
Date Published: 2023-09-28
QID 356270: Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-001
The fix for( CVE-2023-24998 was incomplete for apache tomcat 11.0.0-m2 to 11.0.0-m4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87.
If non-default http connector settings were used such that the maxparametercount could be reached using query string parameters and a request was submitted that supplied exactly maxparametercount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. (
( CVE-2023-28709)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
Solution
Please refer to Amazon advisory: ALASTOMCAT8.5-2023-001 for affected packages and patching details, or update with your package manager.
Vendor References
- ALASTOMCAT8.5-2023-001 -
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-001.html
CVEs related to QID 356270
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALASTOMCAT8.5-2023-001 | amazon linux 2 |
alas.aws.amazon.com/AL2/ALASTOMCAT8.5-2023-001.html |