Bug 1806849 (CVE-2019-17569)

Summary: CVE-2019-17569 tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling
Product: [Other] Security Response Reporter: Ted Jongseok Won <jwon>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dmasirka, dosoudil, drieden, etirelli, ggaughan, gzaronik, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jlyle, jochrist, jpallich, jperkins, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, kyoshida, lgao, lhh, lpeer, lthon, mbabacek, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tom.jenkinson, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100 Doc Type: If docs needed, set a value
Doc Text:
The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. It affects the versions of Apache Tomcat 9 (9.0.28 to 9.0.30), Tomcat 8 (8.5.48 to 8.5.50), and Tomcat 7 (7.0.98 to 7.0.99).
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-18 16:31:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1806851    

Description Ted Jongseok Won 2020-02-25 07:13:35 UTC
The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

It affects the version of Apache Tomcat 9 from 9.0.28 to 9.0.30, Tomcat from 8 8.5.48 to 8.5.50, and Tomcat 7 7.0.98 to 7.0.99.

Upstream Patches:
https://github.com/apache/tomcat/commit/060ecc5 / tomcat9
https://github.com/apache/tomcat/commit/959f1df / tomcat8
https://github.com/apache/tomcat/commit/b191a0d / tomcat7

Comment 1 Ted Jongseok Won 2020-02-25 07:13:42 UTC
Acknowledgments:

Name: @ZeddYu (Apache Tomcat Security Team)

Comment 10 Mauro Matteo Cascella 2020-03-18 09:36:44 UTC
Statement:

This flaw did not affect the versions of Tomcat as shipped with Red Enterprise Linux 5, 6, 7 and 8, as they did not include the vulnerable code, which was introduced in a later version of the package.

OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it.

Comment 12 Product Security DevOps Team 2020-03-18 16:31:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-17569

Comment 13 errata-xmlrpc 2020-04-21 10:56:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521

Comment 14 errata-xmlrpc 2020-04-21 11:07:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520