If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 2141333] Affects: fedora-all [bug 2141334]
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-42252
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Ben, yes you are correct it was not fixed. This CVE is from 2022 and it was previously defined as WONT FIX since it is considered a low impact CVE. There was an update in this CVE so I re-opened a few weeks ago so engineering can re-evaluate their decision again. It may take some time to get updated but you are correct. If there is some fix, you will see the customer portal page updated with the necessary information (fixed info/RHSA), if they decide to keep with WONT FIX decision, the page will be updated with the very same information too.
Hi Patrick, I don't suppose there's been any update on this, please? What would be amazing would be if RH had decided to rebase Tomcat for RHEL 8 and 9 to something more recent than 9.0.62 (such as 9.0.86!), but I doubt that will happen in the remaining lifetime of RHEL 8 or 9. In the meantime, my Tenable cloud scanner is still complaining that all of my Tomcat installations are still vulnerable to CVE-2022-42252 and I can't in good conscience say to ignore it. Frankly it's disappointing that Tenable aren't working with RH to maintain a proper database of what CVE fixes are backported into things like Tomcat, OpenSSL, Apache, etc. But that's a whole other Thing.
Hi Ben, We are checking internally to understand the situation. Please allow us some time to respond back.