LINK Apache Log4J has been getting significant of attention in the last 2-3 weeks. Don’t forget the perennial favorite, http server. It needs your attention now as well.
LINK CISA created this page to show updates and suggestions on actions as well.
LINK All versions of Apache are affected. Attacks are already occurring. Update anything Apache now.
LINK Tomcat has updates…Update your installs ASAP
LINK Time to examine Tomcat again.
LINK Apache was affected by a zero-day earlier this week. They have released a NEW update for the update that was pushed out earlier this week. The fix that was released earlier was ineffectual. Download and use 2.4.51, not 2.4.50.
LINK Time to update immediately as the Apache Foundation has released an update to their HTTP server that fixes a Zero-Day.
LINK Apache Tomcat did not correctly parse the HTTP transfer-encoding requestheader in some circumstances leading to the possibility to requestsmuggling when used with a reverse proxy. Specifically: Tomcatincorrectly ignored the transfer-encoding header if the client declaredit would only accept an HTTP/1.0 response; Tomcat honoured the identifyencoding; and Tomcat did not ensure that, if present, the […]
LINK Apache Tomcat released an update: Time to update CVE-2021-25122 h2c request mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0 Apache Tomcat 9.0.0.M1 to 9.0.41 Apache Tomcat 8.5.0 to 8.5.61 Description: When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount […]