Bug 1806835 (CVE-2020-1935)
| Summary: | CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ted Jongseok Won <jwon> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dchong, dkreling, dmasirka, dosoudil, drieden, etirelli, ggaughan, gzaronik, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jlyle, jochrist, jpallich, jperkins, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, kyoshida, lgao, lhh, lpeer, lthon, mbabacek, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nbhumkar, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rfreire, rguimara, rhcs-maint, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tcrider, tom.jenkinson, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-21 16:31:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1814315, 1814316, 1930276, 1930277 | ||
| Bug Blocks: | 1806837, 1946546 | ||
|
Description
Ted Jongseok Won
2020-02-25 06:33:03 UTC
Acknowledgments: Name: @ZeddYu (Apache Tomcat Security Team) External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1935 Statement: OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it. In Red Hat Satellite 6, Candlepin is using Tomcat to provide a REST API, and has been found to be vulnerable to the flaw. However, it is currently believed that no useful attacks can be carried over. Mitigation: Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite. For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.13 Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3303 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:3305 https://access.redhat.com/errata/RHSA-2020:3305 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5020 https://access.redhat.com/errata/RHSA-2020:5020 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0882 https://access.redhat.com/errata/RHSA-2021:0882 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:1030 https://access.redhat.com/errata/RHSA-2021:1030 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 |