How to fixed Oracle RAC Apache Tomcat CVE-2024-21733 issue?
Starting from 12.2.0.1 Grid infrastructure home does have tomcat installed on the GI_HOME. A security scan may find Tomcat security vulnerability CVE-2024-21733 in your Oracle RAC environment. How do I fix it ?
CVE-2024-21733 Detail
Apache Tomcat存在信息泄露漏洞( CVE-2024-21733)
Apache Tomcat 信息泄露漏洞(CVE-2024-21733)情报。Apache Tomcat 是一个开源 Java Servlet 容器和 Web 服务器,用于运行 Java 应用程序和动态网页。Coyote 是 Tomcat 的连接器,处理来自客户端的请求并将它们传递Tomcat 引擎进行处理。攻击者可以通过构造特定请求,在异常页面中输出其他请求的body 数据,修复版本中通过增加 finally 代码块,保证默认会重设缓冲区 position 和 limit 到一致的状态,从而造成信息泄露。
This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
How to Find Tomcat Version
-- PATH: $GI_HOME/tomcat su - grid cd $ORACLE_HOME/tomcat/lib [grid@db1 lib]$ $ORACLE_HOME/jdk/bin/java -cp catalina.jar org.apache.catalina.util.ServerInfo Server version: Apache Tomcat/8.5.82 Server built: Aug 8 2022 21:26:07 UTC Server number: 8.5.82.0 OS Name: Linux OS Version: 5.15.0-3.60.5.1.el8uek.x86_64 Architecture: amd64 JVM Version: 1.8.0_341-b10 JVM Vendor: Oracle Corporation
Oracle GI RU mapping Tomcat Version
19.24GIRU -TOMCAT 9.0.87 <=== Tomcat 9 is included in 19.24 GI RU 19.22GIRU -TOMCAT 8.5.96 19.21GIRU -TOMCAT 8.5.89 19.20GIRU -TOMCAT 8.5.89 19.19GIRU -TOMCAT 8.5.84 19.17GIRU -TOMCAT 8.5.82 19.16GIRU -TOMCAT 8.5.79 19.15GIRU -TOMCAT 8.5.75 19.14GIRU -TOMCAT 8.5.69 19.13GIRU -TOMCAT 8.5.69 <=== 19.13 fixed CVE-2024-21733 19.12GIRU -TOMCAT 8.5.63 19.11GIRU -TOMCAT 8.5.60 19.10GIRU -TOMCAT 8.5.59 19.9GIRU -TOMCAT 8.5.57 19.8GIRU -TOMCAT 8.5.51 19.7GIRU -TOMCAT 8.5.50 19.6GIRU -TOMCAT 8.5.42 19.5GIRU -TOMCAT 8.5.37 19.4GIRU -TOMCAT 8.5.37 19.3GIRU -TOMCAT 8.5.37 ... 12.2.0.1OCWRU:171003 -TOMCAT 8.0.43 12.2.0.1 Grid Control -Tomcat 8.0.33
Tomcat used for
Tomcat within the GI home is used to deploy the following Grid Infrastructure (GI) features:
- Oracle Quality of Service (QoS) Management – a feature within (GI) that is designed to manage database workloads on a given cluster. QoS uses the ports 8888(RMI) and 8895(HTTP)
- Oracle Fleet Patching and Provisioning (FPP) – a feature within GI to enable standardization and automation of Oracle Software provisioning patching and Upgrading. This feature was formerly known as Rapid Home Provisioning (RHP).
- Oracle Memory Guard – Memory Guard autonomously collects metrics on memory usage for every node in an Oracle Real Application Clusters (Oracle RAC) environment.Memory Guard is hosted on the qosmserver resource.
- Oracle Trace File Analyzer – Oracle Trace File Analyzer Collector and Oracle Trace File Analyzer simplify collecting diagnostic data and resolving issues.
Can I Update Tomcat Manually?
No, you can only update Apache Tomcat as part of a Release Update:
Tomcat obviously has more features, however they are NOT being used as they must be customized to use Oracle Infrastructure, also some are not required due to the nature of QoS and FPP.
NOTE: Oracle is continuously monitoring TOMCAT fixes for CVEs, once a fix is found and the fix the fix is in a object in one of the JAR files of the compact distribution, we start the process to incorporate the TOMCAT version with the fix in GI.
IMPORTANT: Patching of Tomcat within the GI home is handled via the Quarterly Grid Infrastructure Release Updates. Patching outside of GI Release Updates is NOT supported.
To update Apache Tomcat, you must apply a newer Release Update.
Temporary Solution
Stop Tomcat (ora.qosmserver service) # srvctl status qosmserver # srvctl stop qosmserver # srvctl disable qosmserver
Final Solution
Upgrade GIRU 19.13 and Newer
目前这篇文章还没有评论(Rss)