2141329 – (CVE-2022-42252) CVE-2022-42252 tomcat: request smuggling

Bug 2141329 (CVE-2022-42252) - CVE-2022-42252 tomcat: request smuggling

Summary: CVE-2022-42252 tomcat: request smuggling

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-42252
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2141333 2141334 2142463 2142464 2173688 2173689
Blocks:	2139613
TreeView+	depends on / blocked

Reported:	2022-11-09 14:01 UTC by Patrick Del Bello
Modified:	2023-06-27 08:45 UTC (History)
CC List:	13 users (show)
Fixed In Version:	tomcat 10.1.1, tomcat 10.0.27, tomcat 9.0.68, tomcat 8.5.83
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.
Clone Of:
Environment:
Last Closed:	2023-04-12 18:39:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1663	0	None	None	None	2023-04-12 12:27:47 UTC
Red Hat Product Errata	RHSA-2023:1664	0	None	None	None	2023-04-12 12:49:20 UTC

Description Patrick Del Bello 2022-11-09 14:01:33 UTC

If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq

Comment 1 Patrick Del Bello 2022-11-09 14:04:32 UTC

Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2141333]
Affects: fedora-all [bug 2141334]

Comment 9 errata-xmlrpc 2023-04-12 12:27:45 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663

Comment 10 errata-xmlrpc 2023-04-12 12:49:17 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664

Comment 11 Product Security DevOps Team 2023-04-12 18:39:53 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42252

Note You need to log in before you can comment on or make changes to this bug.