Bug 2141329 (CVE-2022-42252) - CVE-2022-42252 tomcat: request smuggling
Summary: CVE-2022-42252 tomcat: request smuggling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-42252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141333 2141334 2142463 2142464 2173688 2173689
Blocks: 2139613
TreeView+ depends on / blocked
 
Reported: 2022-11-09 14:01 UTC by Patrick Del Bello
Modified: 2023-12-06 20:44 UTC (History)
14 users (show)

Fixed In Version: tomcat 10.1.1, tomcat 10.0.27, tomcat 9.0.68, tomcat 8.5.83
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat. If the server is configured to ignore invalid HTTP headers, the server does not reject a request containing an invalid content-length header, making it vulnerable to a request smuggling attack.
Clone Of:
Environment:
Last Closed: 2023-04-12 18:39:56 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1663 0 None None None 2023-04-12 12:27:47 UTC
Red Hat Product Errata RHSA-2023:1664 0 None None None 2023-04-12 12:49:20 UTC

Description Patrick Del Bello 2022-11-09 14:01:33 UTC
If Apache Tomcat 8.5.0 to 8.5.52, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq

Comment 1 Patrick Del Bello 2022-11-09 14:04:32 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 2141333]
Affects: fedora-all [bug 2141334]

Comment 9 errata-xmlrpc 2023-04-12 12:27:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663

Comment 10 errata-xmlrpc 2023-04-12 12:49:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664

Comment 11 Product Security DevOps Team 2023-04-12 18:39:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-42252

Comment 15 Ben 2023-10-12 09:51:49 UTC
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).

Comment 16 Patrick Del Bello 2023-10-17 14:12:42 UTC
Ben, yes you are correct it was not fixed. This CVE is from 2022 and it was previously defined as WONT FIX since it is considered a low impact CVE. There was an update in this CVE so I re-opened a few weeks ago so engineering can re-evaluate their decision again. It may take some time to get updated but you are correct. If there is some fix, you will see the customer portal page updated with the necessary information (fixed info/RHSA), if they decide to keep with WONT FIX decision, the page will be updated with the very same information too.


Note You need to log in before you can comment on or make changes to this bug.