Vulnerability Name:

CVE-2021-30640 (CCN-205213)

Assigned:2021-07-12
Published:2021-07-12
Updated:2022-10-27
Summary:A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): High
Availibility (A): None
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-116
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-30640

Source: CCN
Type: Apache Web site
Apache Tomcat

Source: XF
Type: UNKNOWN
apache-cve202130640-sec-bypass(205213)

Source: CCN
Type: Apache Mailing List, 2021/07/12 13:04:12
CVE-2021-30640 Apache Tomcat JNDI realm authentication weakness

Source: MISC
Type: Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210805 [SECURITY] [DLA 2733-1] tomcat8 security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-34

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0007/

Source: DEBIAN
Type: Third Party Advisory
DSA-4952

Source: DEBIAN
Type: Third Party Advisory
DSA-4986

Source: CCN
Type: IBM Security Bulletin 6483317 (Tivoli Application Dependency Discovery Manager)
Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-30640)

Source: CCN
Type: IBM Security Bulletin 6497499 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6550786 (UrbanCode Release)
IBM UrbanCode Release is affected by CVE-2021-30640

Source: CCN
Type: IBM Security Bulletin 6554908 (UrbanCode Build)
IBM UrbanCode Build is affected by CVE-2021-30640

Source: CCN
Type: IBM Security Bulletin 6568787 (Cloud Pak for Security)
Cloud Pak for Security contains packages that have multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6602007 (Rational Build Forge)
IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-30640)

Source: N/A
Type: Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.0.6)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 9.0.0 and < 9.0.46)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 7.0.0 and < 7.0.109)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 8.5.0 and < 8.5.66)

  • Configuration 2:
  • cpe:/a:oracle:hospitality_cruise_shipboard_property_management_system:20.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.5.0)
  • OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:tekelec_platform_distribution:*:*:*:*:*:*:*:* (Version >= 7.4.0 and <= 7.7.1)
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:apache:tomcat:7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:7.0.108:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.65:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.45:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:10.0.5:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:urbancode_build:6.1.4.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8167
    P
    Security update for python-reportlab (Critical)
    2023-06-21
    oval:org.opensuse.security:def:8187
    P
    Security update for the Linux Kernel (Important) (in QA)
    2023-06-15
    oval:org.opensuse.security:def:51977
    P
    Security update for systemd (Important)
    2022-12-28
    oval:org.opensuse.security:def:3544
    P
    libFLAC++6-1.3.0-11.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95174
    P
    tomcat-9.0.36-150200.22.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:99761
    P
    (Important)
    2022-03-10
    oval:org.opensuse.security:def:100072
    P
    (Critical)
    2022-02-08
    oval:org.opensuse.security:def:113537
    P
    tomcat-9.0.43-2.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:99168
    P
    (Important)
    2021-12-06
    oval:org.opensuse.security:def:111136
    P
    Security update for tomcat (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:8862
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:92413
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:106451
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:69558
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:93986
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:100016
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:9812
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:96132
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:70503
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:118584
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:105858
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:67319
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:1710
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:76387
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:9057
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:92612
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:106738
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:69753
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:94198
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:111787
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:100352
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:10172
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:99363
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:92023
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:106053
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:69256
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:102151
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:9418
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:5890
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:92811
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:108817
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:69952
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:94409
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:100681
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:10363
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:99562
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:8671
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:92218
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:106252
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:69276
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:93772
    P
    (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:102822
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:9613
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:98973
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:6230
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:95438
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:109488
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:70312
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:105663
    P
    Security update for tomcat (Important)
    2021-11-16
    oval:org.opensuse.security:def:66979
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:102270
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:76047
    P
    Security update for tomcat (Moderate)
    2021-11-16
    oval:org.opensuse.security:def:88529
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:33993
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:127186
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:59558
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:23989
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:89213
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:34584
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:59816
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:87501
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:33037
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:125622
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:89471
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:60407
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:88212
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:33735
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:126789
    P
    Security update for tomcat (Important)
    2021-11-03
    oval:org.opensuse.security:def:58860
    P
    Security update for tomcat (Important)
    2021-11-03
    BACK
    apache tomcat *
    apache tomcat *
    apache tomcat *
    apache tomcat *
    oracle hospitality cruise shipboard property management system 20.1.0
    oracle communications diameter signaling router *
    oracle communications pricing design center 12.0.0.3.0
    oracle tekelec platform distribution *
    oracle communications cloud native core policy 1.14.0
    debian debian linux 9.0
    debian debian linux 10.0
    debian debian linux 11.0
    apache tomcat 7
    apache tomcat 8.5.0
    apache tomcat 9.0.0 m1
    apache tomcat 10.0.0 m1
    apache tomcat 7.0.108
    apache tomcat 8.5.65
    apache tomcat 9.0.45
    apache tomcat 10.0.5
    ibm tivoli application dependency discovery manager 7.3.0.0
    ibm data risk manager 2.0.6
    ibm urbancode build 6.1.4.0