Bug 2141329 (CVE-2022-42252)

Summary: CVE-2022-42252 tomcat: request smuggling
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ben.argyle, csutherl, huwang, jclere, jwon, kyoshida, mescanfe, mmadzin, peholase, pjindal, rhcs-maint, saroy, sbalasub, suwu, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 10.1.1, tomcat 10.0.27, tomcat 9.0.68, tomcat 8.5.83 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-12 18:39:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141333, 2141334, 2142463, 2142464, 2173688, 2173689    
Bug Blocks: 2139613    

Description Patrick Del Bello 2022-11-09 14:01:33 UTC 
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
Comment 1 Patrick Del Bello 2022-11-09 14:04:32 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2141333]
Affects: fedora-all [bug 2141334]
Comment 9 errata-xmlrpc 2023-04-12 12:27:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
Comment 10 errata-xmlrpc 2023-04-12 12:49:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
Comment 11 Product Security DevOps Team 2023-04-12 18:39:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42252
Comment 15 Ben 2023-10-12 09:51:49 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 16 Patrick Del Bello 2023-10-17 14:12:42 UTC 
Ben, yes you are correct it was not fixed. This CVE is from 2022 and it was previously defined as WONT FIX since it is considered a low impact CVE. There was an update in this CVE so I re-opened a few weeks ago so engineering can re-evaluate their decision again. It may take some time to get updated but you are correct. If there is some fix, you will see the customer portal page updated with the necessary information (fixed info/RHSA), if they decide to keep with WONT FIX decision, the page will be updated with the very same information too.
Comment 17 Ben 2024-03-05 09:05:33 UTC 
Hi Patrick, I don't suppose there's been any update on this, please?  What would be amazing would be if RH had decided to rebase Tomcat for RHEL 8 and 9 to something more recent than 9.0.62 (such as 9.0.86!), but I doubt that will happen in the remaining lifetime of RHEL 8 or 9.  In the meantime, my Tenable cloud scanner is still complaining that all of my Tomcat installations are still vulnerable to CVE-2022-42252 and I can't in good conscience say to ignore it.

Frankly it's disappointing that Tenable aren't working with RH to maintain a proper database of what CVE fixes are backported into things like Tomcat, OpenSSL, Apache, etc.  But that's a whole other Thing.
Comment 20 Patrick Del Bello 2024-03-07 13:10:52 UTC 
Hi Ben,

We are checking internally to understand the situation. Please allow us some time to respond back.
Comment 22 Ben 2024-05-02 14:33:09 UTC 
That's great news, thank you Patrick.  Has there been any development?  https://access.redhat.com/security/cve/CVE-2022-42252 still just says "Affected".
Comment 23 Patrick Del Bello 2024-05-08 00:39:29 UTC 
Ben,

I received a response: 

The flaw was addressed initially in the following Red Hat build of tomcat (org.apache.tomcat-tomcat-parent-9.0.62.redhat_00011-1). The latest released tomcat builds on RHEL8 and RHEL9 are the following:

* RHEL 8.8.0.Z.EUS: The build consumes sources of 9.0.62.redhat-00018
* RHEL 8.9.0.Z.MAIN: The build consumes sources of 9.0.62.redhat-00018
* RHEL 9.2.0.6-AppStream EUS The build consumes sources of 9.0.62.redhat-00018
* RHEL 9.3.0.3-AppStream The build consumes sources of 9.0.62.redhat-00018

The available tomcat builds are NOT affected by this CVE, hope this helps clear out the situation.
Comment 24 Patrick Del Bello 2024-05-08 00:39:47 UTC 
Maybe we can update this @Sandipan?