I have this loaded in a two different test environments and can confirm that at least the character combo crashes, checklist errors and tomcat versions have been addressed.
Report back with your findings!
I have this loaded in a two different test environments and can confirm that at least the character combo crashes, checklist errors and tomcat versions have been addressed.
Report back with your findings!
Was there a vulnerability in the Tomcat version?
https://nvd.nist.gov/vuln/detail/CVE-2024-52316
https://lists.apache.org/thread/lopzlqh91jj9n334g02om08sbysdb928
From the Release notes:
CVE-2024-52316 | Unchecked Error Condition vulnerability in Apache Tomcat | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. | 9.8 Critical |
The severity is a bit misleading as Apache shows this is low and github and others are classifying as critical.
Thanks for the info. It looks like we won't be affected if we don't use Jakarta Authentication then?
I take that back. 'java.com' will still crash the ticket/session, even if you wrap it in a quote or code block.
Yes mine Lab seems to be clean with those now but plenty of "ERROR w.helpdesk.com.macsdesign.whd.daemon - Error while triggering session in com.macsdesign.whd.daemon.ServletPulseDaemon: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" still !!
Sounds promising! With 12.8.3 HF2(currently) if too many CSRF error happened our system was just hang. Solarwinds don't think that was the issue but that was the only correlation. No CSRF erros no hang lol. The errors would just happen randomly and didn't have this issue with any other version. Welp... Guess I'll give this a shot tonight. Fingers cross everything stay working!
ticket 01819046 opened for this continued character issue.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 200,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.