Bug 1806849 (CVE-2019-17569)
Summary: | CVE-2019-17569 tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Ted Jongseok Won <jwon> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dmasirka, dosoudil, drieden, etirelli, ggaughan, gzaronik, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jlyle, jochrist, jpallich, jperkins, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, kyoshida, lgao, lhh, lpeer, lthon, mbabacek, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tom.jenkinson, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100 | Doc Type: | If docs needed, set a value |
Doc Text: |
The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
It affects the versions of Apache Tomcat 9 (9.0.28 to 9.0.30), Tomcat 8 (8.5.48 to 8.5.50), and Tomcat 7 (7.0.98 to 7.0.99).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-18 16:31:47 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1806851 |
Description
Ted Jongseok Won
2020-02-25 07:13:35 UTC
Acknowledgments: Name: @ZeddYu (Apache Tomcat Security Team) External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 Statement: This flaw did not affect the versions of Tomcat as shipped with Red Enterprise Linux 5, 6, 7 and 8, as they did not include the vulnerable code, which was introduced in a later version of the package. OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17569 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520 |