Ubuntu
tomcat9 package

Tomcat 9 vulnerabilities

Asked by james Hart

Our Rapid7 scans have picked up a whole bunch of Tomcat9 vulnerabilities on Focal that haven't yet been addressed by Ubuntu (according to entries on the corresponding https://ubuntu.com/security page):

Version on ubuntu repository: 9.0.31-1ubuntu0.1

Vulenerability versions affected Status (as per the
apache-tomcat-cve-2021-30640 < 9.0.46 Needs triage
apache-tomcat-cve-2021-33037 < 9.0.47 Needs triage
apache-tomcat-cve-2021-25122 < 9.0.42 Needs triage
apache-tomcat-cve-2020-17527 < 9.0.40 Needed
apache-tomcat-cve-2021-25329 < 9.0.42 Needs triage
apache-tomcat-cve-2021-24122 < 9.0.40 Needs triage

Should we be installing Tomcat directly from Apache, and independently of apt to ensure these vulnerabilities are countered, or can we expect a release soon of a patched version of Tomcat9?

Hope you can help.

james

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu tomcat9 Edit question
Assignee:
No assignee Edit question
Solved by:
actionparsnip
Solved:
Last query:
Last reply:
Revision history for this message
Best actionparsnip (andrew-woodhead666) said : 		#1

I suggest you report a bug stating the issues that need addressing. Mark as a security issue

Revision history for this message
james Hart (james-hart1) said : 		#2

Thank you. I'll give that a go.

Best wishes

james