Bug 1806835 (CVE-2020-1935) - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
Summary: CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1935
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1814315 1814316
Blocks: 1806837
TreeView+ depends on / blocked
 
Reported: 2020-02-25 06:33 UTC by Ted (Jong Seok) Won
Modified: 2020-06-04 13:11 UTC (History)
83 users (show)

Fixed In Version: tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat versions 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
Clone Of:
Environment:
Last Closed: 2020-04-21 16:31:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1520 None None None 2020-04-21 11:06:59 UTC
Red Hat Product Errata RHSA-2020:1521 None None None 2020-04-21 10:56:07 UTC
Red Hat Product Errata RHSA-2020:2367 None None None 2020-06-04 13:11:57 UTC

Description Ted (Jong Seok) Won 2020-02-25 06:33:03 UTC
The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

It affects the version of Apache Tomcat 9 from 9.0.0.M1 to 9.0.30, Tomcat from 8 8.5.0 to 8.5.50, and Tomcat 7 7.0.0 to 7.0.99.

Upstream Patches:
https://github.com/apache/tomcat/commit/8bfb0ff / tomcat9
https://github.com/apache/tomcat/commit/8fbe2e9 / tomcat8
https://github.com/apache/tomcat/commit/702bf15 / tomcat7

Comment 1 Ted (Jong Seok) Won 2020-02-25 06:33:10 UTC
Acknowledgments:

Name: @ZeddYu (Apache Tomcat Security Team)

Comment 12 errata-xmlrpc 2020-04-21 10:56:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521

Comment 13 errata-xmlrpc 2020-04-21 11:06:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520

Comment 14 Product Security DevOps Team 2020-04-21 16:31:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1935

Comment 15 Yadnyawalk Tale 2020-04-30 14:47:31 UTC
Statement:

OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it.

In Red Hat Satellite 6, Candlepin is using Tomcat to provide a REST API, and has been found to be vulnerable to the flaw. However, it is currently believed that no useful attacks can be carried over.

Comment 22 Yadnyawalk Tale 2020-06-02 10:53:06 UTC
Mitigation:

Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite.

For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 23 errata-xmlrpc 2020-06-04 13:11:53 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.13

Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367


Note You need to log in before you can comment on or make changes to this bug.