PatchSiren cyber security CVE debrief
CVE-2023-42795 Siemens CVE debrief
CVE-2023-42795 is a MEDIUM-severity (CVSS 5.3) Incomplete Cleanup vulnerability in Apache Tomcat, published 2024-08-13. The flaw affects Tomcat versions 11.0.0-M1 through 11.0.0-M11, 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.80, and 8.5.0 through 8.5.93. When recycling internal objects, an error can cause Tomcat to skip portions of the recycling process, resulting in information leakage from the current request/response to subsequent requests. Siemens SINEC NMS is identified as an affected product incorporating the vulnerable Tomcat component. The vulnerability has been remediated in Tomcat versions 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards, and 8.5.94 onwards. Siemens has issued a vendor fix recommending update to SINEC NMS V3.0 or later. No known exploitation in ransomware campaigns has been reported, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Siemens
- Product
- SINEC NMS
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-08-13
- Original CVE updated
- 2024-08-13
- Advisory published
- 2024-08-13
- Advisory updated
- 2024-08-13
Who should care
Organizations running Apache Tomcat in production environments, particularly those with multi-tenant applications or handling sensitive request data. Industrial operators using Siemens SINEC NMS for network management should prioritize patching due to the potential for information leakage across administrative sessions. Security teams responsible for Java application servers and OT/ICS security practitioners should assess exposure and apply vendor fixes.
Technical summary
The vulnerability stems from improper cleanup during the recycling of internal Tomcat objects. When processing requests, Tomcat reuses internal objects to improve performance. An error in this recycling mechanism can cause state from one request/response pair to persist into subsequent requests, creating a channel for information disclosure. This is classified as an Incomplete Cleanup weakness (CWE-459). The attack vector is network-accessible with low attack complexity, requiring no privileges or user interaction. The confidentiality impact is rated LOW with no integrity or availability impact. The vulnerability is exploitable without authentication, making it relevant for externally-facing Tomcat instances including those embedded in industrial management systems like Siemens SINEC NMS.
Defensive priority
medium
Recommended defensive actions
- Upgrade Apache Tomcat to fixed versions: 11.0.0-M12 or later, 10.1.14 or later, 9.0.81 or later, or 8.5.94 or later
- For Siemens SINEC NMS deployments, update to version V3.0 or later
- Review application logs for anomalous request/response behavior that may indicate information leakage
- Apply defense-in-depth controls for industrial control systems per CISA recommended practices
- Monitor vendor security advisories for additional affected products or updated guidance
Evidence notes
CVE description and affected version ranges sourced from official CVE record and CISA CSAF advisory ICSA-24-228-06. Siemens vendor attribution and SINEC NMS product impact confirmed via CSAF product tree with high confidence. Remediation guidance derived from vendor-provided fix information in source advisory.
Official resources
-
CVE-2023-42795 CVE record
CVE.org
-
CVE-2023-42795 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-08-13