The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. It affects the version of Apache Tomcat 9 from 9.0.0.M1 to 9.0.30, Tomcat from 8 8.5.0 to 8.5.50, and Tomcat 7 7.0.0 to 7.0.99. Upstream Patches: https://github.com/apache/tomcat/commit/8bfb0ff / tomcat9 https://github.com/apache/tomcat/commit/8fbe2e9 / tomcat8 https://github.com/apache/tomcat/commit/702bf15 / tomcat7
Acknowledgments: Name: @ZeddYu (Apache Tomcat Security Team)
External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1935
Statement: OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it. In Red Hat Satellite 6, Candlepin is using Tomcat to provide a REST API, and has been found to be vulnerable to the flaw. However, it is currently believed that no useful attacks can be carried over.
Mitigation: Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite. For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.13 Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3303
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:3305 https://access.redhat.com/errata/RHSA-2020:3305
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:5020 https://access.redhat.com/errata/RHSA-2020:5020
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2021:0882 https://access.redhat.com/errata/RHSA-2021:0882
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Extended Update Support Via RHSA-2021:1030 https://access.redhat.com/errata/RHSA-2021:1030
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140