Bug 65517 - upgrade to axis2-adb 1.8.0 to address CVE-2020-0822
Summary: upgrade to axis2-adb 1.8.0 to address CVE-2020-0822
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Packaging (show other bugs)
Version: 9.0.52
Hardware: PC All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2021-08-23 19:56 UTC by Jeehong Min
Modified: 2021-09-15 16:10 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jeehong Min 2021-08-23 19:56:58 UTC
See https://nvd.nist.gov/vuln/detail/CVE-2020-0822 for more info.

Tomcat 9.0.52 ships with version 1.7.9.  Version 1.8.0 is available which addresses this CVE.

See https://lists.apache.org/thread.html/r258f18d563859c0ef9584fd7341426bd14f5042bdf7e7bc396d91272@%3Cjava-dev.axis.apache.org%3E which shows axis2 team addressing this CVE in version 1.8.0
Comment 1 Mikko Suonio 2021-09-15 10:34:43 UTC
Can you comment on why this is invalid? Since this is related to a CVE, the impact needs to be analyzed in many organizations.
Comment 2 Mark Thomas 2021-09-15 10:58:23 UTC
Let me turn that around. What is your basis for claiming that this is a valid vulnerability in Apache Tomcat?

(Hint: The original description for this contained multiple inaccuracies so don't take any of that information at face value)
Comment 3 Jeehong Min 2021-09-15 13:57:17 UTC
I filed the original bug.  Afterwards, I realized that I made a mistake when I was tracing dependencies with CVEs.  Tomcat does not have any dependencies on axis2-adb.
Comment 4 Mikko Suonio 2021-09-15 16:10:01 UTC
I would like Tomcat developers to state clearly that this is not a valid vulnerability. This would make it easier for Tomcat users to dismiss the issue detected by vulnerability analysis of their software.

Also, it would be excellent, if you could communicate these inaccuracies to NIST NVD. This might help to correct the CVE description faster and reduce the impact to Tomcat users. If this is not possible, users could point NIST staff to the issue description on Tomcat site and forums, if available.

Thank you for the quick response. I do not understand why Tomcat was associated with this CVE.