Bug 1069921 (CVE-2013-4286) - CVE-2013-4286 tomcat: multiple content-length header poisoning flaws
Summary: CVE-2013-4286 tomcat: multiple content-length header poisoning flaws
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1069925 1072497 1072498 1072506 1072507 1072508 1072509 1072510 1072511 1072512 1072513 1072514 1072515 1072516 1072517 1072518 1072519 1072520 1072525 1074417 1076709 1076712 1080306 1089886 1089890
Blocks: 1050743 1069924 1070622 1072489 1072796 1073684 1078600 1079092 1079801 1079803 1082921 1082938 1093886
TreeView+ depends on / blocked
 
Reported: 2014-02-25 22:47 UTC by Vincent Danen
Modified: 2019-12-16 04:28 UTC (History)
48 users (show)

Fixed In Version: tomcat 7.0.47, tomcat 6.0.39, tomcat 8.0.0-rc3
Doc Type: Bug Fix
Doc Text:
It was found that when Tomcat / JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat / JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:31:45 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0343 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update 2014-03-31 20:47:44 UTC
Red Hat Product Errata RHSA-2014:0344 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update 2014-03-31 20:58:30 UTC
Red Hat Product Errata RHSA-2014:0345 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update 2014-03-31 20:47:38 UTC
Red Hat Product Errata RHSA-2014:0373 0 normal SHIPPED_LIVE Moderate: Apache Commons Fileupload and JBoss Web security update 2014-04-04 01:19:48 UTC
Red Hat Product Errata RHSA-2014:0374 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.2.1 update 2014-04-04 02:01:40 UTC
Red Hat Product Errata RHSA-2014:0429 0 normal SHIPPED_LIVE Moderate: tomcat6 security update 2014-04-23 22:27:58 UTC
Red Hat Product Errata RHSA-2014:0458 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.0.0 security update 2014-04-30 23:01:13 UTC
Red Hat Product Errata RHSA-2014:0459 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2014-04-30 23:00:31 UTC
Red Hat Product Errata RHSA-2014:0511 0 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.2.1 security update 2014-05-15 21:18:12 UTC
Red Hat Product Errata RHSA-2014:0525 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update 2014-05-21 19:45:35 UTC
Red Hat Product Errata RHSA-2014:0526 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update 2014-05-21 20:06:31 UTC
Red Hat Product Errata RHSA-2014:0527 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update 2014-05-21 19:45:31 UTC
Red Hat Product Errata RHSA-2014:0528 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update 2014-05-21 19:45:27 UTC
Red Hat Product Errata RHSA-2014:0686 0 normal SHIPPED_LIVE Important: tomcat security update 2014-06-10 16:34:22 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Description Vincent Danen 2014-02-25 22:47:42 UTC
The Tomcat fix for CVE-2005-2090 was not complete. It did not cover the following cases:

- content-length header with chunked encoding over any HTTP connector
- multiple content-length headers over any AJP connector

Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used.

This has been corrected in upstream versions 8.0.0-rc3 [1], 7.0.47 [2], and 6.0.39 [3].

[1] http://svn.apache.org/viewvc?view=revision&revision=1521829
[2] http://svn.apache.org/viewvc?view=revision&revision=1521854
[3] http://svn.apache.org/viewvc?view=revision&revision=1552565

Comment 1 Vincent Danen 2014-02-25 23:05:30 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1069925]

Comment 12 errata-xmlrpc 2014-03-31 16:48:29 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0345 https://rhn.redhat.com/errata/RHSA-2014-0345.html

Comment 13 errata-xmlrpc 2014-03-31 16:49:54 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6 for RHEL 5

Via RHSA-2014:0343 https://rhn.redhat.com/errata/RHSA-2014-0343.html

Comment 14 errata-xmlrpc 2014-03-31 17:00:38 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6 for RHEL 6

Via RHSA-2014:0344 https://rhn.redhat.com/errata/RHSA-2014-0344.html

Comment 18 errata-xmlrpc 2014-04-03 21:21:02 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1
  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0373 https://rhn.redhat.com/errata/RHSA-2014-0373.html

Comment 19 errata-xmlrpc 2014-04-03 22:02:07 UTC
This issue has been addressed in following products:

  Red Hat JBoss Data Grid 6.2.1

Via RHSA-2014:0374 https://rhn.redhat.com/errata/RHSA-2014-0374.html

Comment 22 errata-xmlrpc 2014-04-23 18:30:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0429 https://rhn.redhat.com/errata/RHSA-2014-0429.html

Comment 23 errata-xmlrpc 2014-04-30 19:02:42 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0459 https://rhn.redhat.com/errata/RHSA-2014-0459.html

Comment 24 errata-xmlrpc 2014-04-30 19:03:57 UTC
This issue has been addressed in following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2014:0458 https://rhn.redhat.com/errata/RHSA-2014-0458.html

Comment 26 errata-xmlrpc 2014-05-15 17:18:26 UTC
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0511 https://rhn.redhat.com/errata/RHSA-2014-0511.html

Comment 27 errata-xmlrpc 2014-05-21 15:46:23 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0528 https://rhn.redhat.com/errata/RHSA-2014-0528.html

Comment 28 errata-xmlrpc 2014-05-21 15:47:15 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0527 https://rhn.redhat.com/errata/RHSA-2014-0527.html

Comment 29 errata-xmlrpc 2014-05-21 15:48:29 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0525 https://rhn.redhat.com/errata/RHSA-2014-0525.html

Comment 30 errata-xmlrpc 2014-05-21 16:06:58 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0526 https://rhn.redhat.com/errata/RHSA-2014-0526.html

Comment 31 errata-xmlrpc 2014-06-10 12:35:59 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0686 https://rhn.redhat.com/errata/RHSA-2014-0686.html

Comment 33 wangchao 2014-08-19 10:11:12 UTC
I want to know how can I show this bug to others , for example how can I demonstration this bug to my colleague, to make him konw that multiple content-length header poisoning flaws . thanks a lot !!!

Comment 34 wangchao 2014-08-19 10:14:21 UTC
I want to know how can I show this bug to others , for example how can I demonstration this bug to my colleague, to make him konw that multiple content-length header poisoning flaws . thanks a lot !!!

Comment 35 wangchao 2014-08-19 10:14:50 UTC
I want to know how can I show this bug to others , for example how can I demonstration this bug to my colleague, to make him konw that multiple content-length header poisoning flaws . thanks a lot !!!

Comment 36 wangchao 2014-08-20 01:06:53 UTC
(In reply to Vincent Danen from comment #0)
> The Tomcat fix for CVE-2005-2090 was not complete. It did not cover the
> following cases:
> 
> - content-length header with chunked encoding over any HTTP connector
> - multiple content-length headers over any AJP connector
> 
> Requests with multiple content-length headers or with a content-length
> header when chunked encoding is being used should be rejected as invalid.
> When multiple components (firewalls, caches, proxies and Tomcat) process a
> sequence of requests where one or more requests contain either multiple
> content-length headers or a content-length header when chunked encoding is
> being used and several components do not reject the request and make
> different decisions as to which content-length header to use an attacker can
> poison a web-cache, perform an XSS attack and obtain sensitive information
> from requests other then their own. Tomcat now rejects requests with
> multiple content-length headers or with a content-length header when chunked
> encoding is being used.
> 
> This has been corrected in upstream versions 8.0.0-rc3 [1], 7.0.47 [2], and
> 6.0.39 [3].
> 
> [1] http://svn.apache.org/viewvc?view=revision&revision=1521829
> [2] http://svn.apache.org/viewvc?view=revision&revision=1521854
> [3] http://svn.apache.org/viewvc?view=revision&revision=1552565



I want to know how can I show this bug to others , for example how can I demonstration this bug to my colleague, to make him konw that multiple content-length header poisoning flaws . thanks a lot !!!

Comment 37 wangchao 2014-08-20 03:22:27 UTC
(In reply to Vincent Danen from comment #0)
> The Tomcat fix for CVE-2005-2090 was not complete. It did not cover the
> following cases:
> 
> - content-length header with chunked encoding over any HTTP connector
> - multiple content-length headers over any AJP connector
> 
> Requests with multiple content-length headers or with a content-length
> header when chunked encoding is being used should be rejected as invalid.
> When multiple components (firewalls, caches, proxies and Tomcat) process a
> sequence of requests where one or more requests contain either multiple
> content-length headers or a content-length header when chunked encoding is
> being used and several components do not reject the request and make
> different decisions as to which content-length header to use an attacker can
> poison a web-cache, perform an XSS attack and obtain sensitive information
> from requests other then their own. Tomcat now rejects requests with
> multiple content-length headers or with a content-length header when chunked
> encoding is being used.
> 
> This has been corrected in upstream versions 8.0.0-rc3 [1], 7.0.47 [2], and
> 6.0.39 [3].
> 
> [1] http://svn.apache.org/viewvc?view=revision&revision=1521829
> [2] http://svn.apache.org/viewvc?view=revision&revision=1521854
> [3] http://svn.apache.org/viewvc?view=revision&revision=1552565

I want to know how can I show this bug to others , for example how can I demonstration this bug to my colleague, to make himself see the processor of how this bug produce. thanks a lot !!!

Comment 38 Vincent Danen 2014-08-20 14:39:55 UTC
(In reply to wangchao from comment #37)
 
> I want to know how can I show this bug to others , for example how can I
> demonstration this bug to my colleague, to make himself see the processor of
> how this bug produce. thanks a lot !!!

You will need to approach Tomcat upstream to ask them these questions.

Comment 39 wangchao 2014-08-21 10:25:49 UTC
(In reply to Vincent Danen from comment #38)
> (In reply to wangchao from comment #37)
>  
> > I want to know how can I show this bug to others , for example how can I
> > demonstration this bug to my colleague, to make himself see the processor of
> > how this bug produce. thanks a lot !!!
> 
> You will need to approach Tomcat upstream to ask them these questions.

so  you  means  that  I should  ask for help  with people  who  maintenance the  tomcat , what  I  want  to  know  is  do  you konw  how  can  I  touch  with them , or  do  you have  the  email  of  them , if  you know  please tell  me  ,  I  will  appreciate  a  lot 



                                                                  wangchao
                                                                 2014/08/21

Comment 40 Vincent Danen 2014-08-21 13:04:38 UTC
(In reply to wangchao from comment #39)
... 
> > You will need to approach Tomcat upstream to ask them these questions.
> 
> so  you  means  that  I should  ask for help  with people  who  maintenance
> the  tomcat , what  I  want  to  know  is  do  you konw  how  can  I  touch 
> with them , or  do  you have  the  email  of  them , if  you know  please
> tell  me  ,  I  will  appreciate  a  lot 

It's not hard to find. http://tomcat.apache.org/contact.html

Comment 41 Fedora Update System 2014-09-26 09:02:35 UTC
tomcat-7.0.52-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 43 errata-xmlrpc 2015-05-14 15:16:23 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html


Note You need to log in before you can comment on or make changes to this bug.