The refactoring in 9.0.28 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. It affects the version of Apache Tomcat 9 from 9.0.28 to 9.0.30, Tomcat from 8 8.5.48 to 8.5.50, and Tomcat 7 7.0.98 to 7.0.99. Upstream Patches: https://github.com/apache/tomcat/commit/060ecc5 / tomcat9 https://github.com/apache/tomcat/commit/959f1df / tomcat8 https://github.com/apache/tomcat/commit/b191a0d / tomcat7
Acknowledgments: Name: @ZeddYu (Apache Tomcat Security Team)
External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
Statement: This flaw did not affect the versions of Tomcat as shipped with Red Enterprise Linux 5, 6, 7 and 8, as they did not include the vulnerable code, which was introduced in a later version of the package. OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17569
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520