Bug 2252050 (CVE-2023-46589)

Summary: CVE-2023-46589 tomcat: HTTP request smuggling via malformed trailer headers
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, anstephe, aschwart, asoldano, ataylor, avibelli, bbaranow, ben.argyle, bgeorges, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, chfoley, cmiranda, csutherl, darran.lofthouse, dbruscin, dhanak, dkreling, dosoudil, drichtar, drosa, fjuma, fmariani, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jclere, jpoth, jrokos, jscholz, kvanderr, kverlaen, lgao, lthon, mharbi, mmadzin, mnovotny, mosmerov, mposolda, msochure, mstefank, msvehla, mulliken, nwallace, pbizzarr, pcongius, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, plodge, pmackay, pskopek, rguimara, rkieley, rowaters, rruss, rstancel, rstepani, saroy, sausingh, smaestri, ssilvert, sthorger, swoodman, szappis, tasander, tcunning, tom.jenkinson, troels, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 9.0.83 Doc Type: If docs needed, set a value
Doc Text:
An improper Input validation flaw was found in Apache Tomcat due to incorrect parsing of HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2252051    
Bug Blocks: 2252194    

Description Pedro Sampaio 2023-11-29 08:23:46 UTC 
Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.0-M10
- Apache Tomcat 10.1.0-M1 through 10.1.15
- Apache Tomcat 9.0.0-M1 through 9.0.82
- Apache Tomcat 8.5.0 through 8.5.95

Description:

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 
11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 
9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly 
parse HTTP trailer headers. A trailer header that exceeded the header 
size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 
onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Credit:

Norihito Aimoto (OSSTech Corporation)  (finder)

References:

https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
http://www.openwall.com/lists/oss-security/2023/11/28/2
Comment 1 Pedro Sampaio 2023-11-29 08:24:18 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2252051]
Comment 8 Jean-frederic Clere 2024-01-09 13:29:15 UTC 
why High if CVE-2023-45648 was medium?
Comment 10 Jean-frederic Clere 2024-01-18 15:43:09 UTC 
JWS-6.0.0 is affected the fix is planned for 6.0.1.
Comment 12 errata-xmlrpc 2024-01-29 01:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0532 https://access.redhat.com/errata/RHSA-2024:0532
Comment 13 errata-xmlrpc 2024-01-29 08:20:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0539 https://access.redhat.com/errata/RHSA-2024:0539
Comment 14 Ben 2024-01-30 11:47:13 UTC 
Fix coming for Red Hat Enterprise Linux 9 as well, please?
Comment 18 errata-xmlrpc 2024-03-05 08:15:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1092 https://access.redhat.com/errata/RHSA-2024:1092
Comment 19 errata-xmlrpc 2024-03-05 18:11:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1134 https://access.redhat.com/errata/RHSA-2024:1134
Comment 20 errata-xmlrpc 2024-03-18 11:13:51 UTC 
This issue has been addressed in the following products:

  JWS 5.7.8

Via RHSA-2024:1319 https://access.redhat.com/errata/RHSA-2024:1319
Comment 21 errata-xmlrpc 2024-03-18 11:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2024:1318 https://access.redhat.com/errata/RHSA-2024:1318
Comment 22 errata-xmlrpc 2024-03-18 14:53:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
Comment 23 errata-xmlrpc 2024-03-18 14:53:50 UTC 
This issue has been addressed in the following products:

  JWS 6.0.1

Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325
Comment 25 errata-xmlrpc 2024-05-23 22:45:55 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.13.0

Via RHSA-2024:3354 https://access.redhat.com/errata/RHSA-2024:3354