Bug 2141329 (CVE-2022-42252)

Summary: CVE-2022-42252 tomcat: request smuggling
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: csutherl, huwang, jclere, jwon, kyoshida, mescanfe, mmadzin, peholase, pjindal, rhcs-maint, sbalasub, suwu, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 10.1.1, tomcat 10.0.27, tomcat 9.0.68, tomcat 8.5.83 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-12 18:39:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141333, 2141334, 2142463, 2142464, 2173688, 2173689    
Bug Blocks: 2139613    

Description Patrick Del Bello 2022-11-09 14:01:33 UTC 
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
Comment 1 Patrick Del Bello 2022-11-09 14:04:32 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2141333]
Affects: fedora-all [bug 2141334]
Comment 9 errata-xmlrpc 2023-04-12 12:27:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
Comment 10 errata-xmlrpc 2023-04-12 12:49:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
Comment 11 Product Security DevOps Team 2023-04-12 18:39:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42252