Bug 1109196 (CVE-2014-0227) - CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
Summary: CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedIn...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1109208 1109199 1109200 1109201 1109202 1109203 1109204 1109205 1109206 1109207 1109209 1109210 1109211 1109212 1109213 1109216 1109217 1109218 1109219 1109220 1109221 1109223 1109225 1109226 1109227 1109228 1109229 1160690 1190821
Blocks: 1082938 1119820 1119823 1127901 1181883 1182400 1182419 1200191
TreeView+ depends on / blocked
 
Reported: 2014-06-13 12:55 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 06:28 UTC (History)
28 users (show)

Fixed In Version: JBossWeb 7.4.6.Final, Tomcat 7.0.55, Tomcat 6.0.43
Doc Type: Bug Fix
Doc Text:
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:33:32 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0234 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:0983 0 normal SHIPPED_LIVE Moderate: tomcat security update 2015-05-12 20:37:36 UTC
Red Hat Product Errata RHSA-2015:0991 0 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2015-05-12 22:20:15 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Arun Babu Neelicattu 2014-06-13 12:55:29 UTC
It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input early enough. A remote attacker could use this flaw to perform a denial of service attack, by streaming an unlimited quantity of data, leading to consumption of server resources.

Comment 1 Arun Babu Neelicattu 2014-06-13 12:59:54 UTC
Upstream Fix:

Tomcat: http://svn.apache.org/viewvc?view=revision&revision=1600984
JBossWeb: https://source.jboss.org/changelog/JBossWeb?cs=2455

Comment 19 Martin Prpič 2015-02-09 16:42:45 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1190821]

Comment 21 errata-xmlrpc 2015-02-17 22:29:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 22 errata-xmlrpc 2015-02-17 22:33:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 24 Fedora Update System 2015-02-23 08:02:45 UTC
tomcat-7.0.59-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 25 Tomas Hoger 2015-03-11 10:41:01 UTC
Tomcat upstream advisories (see comment 18 above) point out additional impact - request smuggling.  Tomcat may read next request from the malformed chunked request body, rather than aborting connection as soon as the first encoding issue is detected.

Upstream does not indicate where this may have practical impact, as Tomcat accepts multiple requests pipelined in a single connection.  It seems this may have impact in deployments where Tomcat is accessed via a reverse proxy that only exposes certain paths / web applications.  This may possibly allow bypass of proxy restrictions and allow access to URLs not exposed by the proxy.  However, this attack would require proxy to allow malformed requests to be passed to Tomcat.

Comment 26 errata-xmlrpc 2015-03-11 16:53:40 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 27 errata-xmlrpc 2015-03-24 21:07:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 28 errata-xmlrpc 2015-03-31 17:01:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 31 errata-xmlrpc 2015-05-12 16:37:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:0983 https://rhn.redhat.com/errata/RHSA-2015-0983.html

Comment 33 errata-xmlrpc 2015-05-12 18:20:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0991 https://rhn.redhat.com/errata/RHSA-2015-0991.html

Comment 34 errata-xmlrpc 2015-05-14 15:21:18 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html


Note You need to log in before you can comment on or make changes to this bug.