Bug 2252050 (CVE-2023-46589) - CVE-2023-46589 tomcat: HTTP request smuggling via malformed trailer headers
Summary: CVE-2023-46589 tomcat: HTTP request smuggling via malformed trailer headers
Keywords:
Status: NEW
Alias: CVE-2023-46589
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2252051
Blocks: 2252194
TreeView+ depends on / blocked
 
Reported: 2023-11-29 08:23 UTC by Pedro Sampaio
Modified: 2024-04-30 23:00 UTC (History)
69 users (show)

Fixed In Version: tomcat 9.0.83
Doc Type: If docs needed, set a value
Doc Text:
An improper Input validation flaw was found in Apache Tomcat due to incorrect parsing of HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests, leading to the possibility of request smuggling when behind a reverse proxy.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:0532 0 None None None 2024-01-29 01:36:44 UTC
Red Hat Product Errata RHSA-2024:0539 0 None None None 2024-01-29 08:20:32 UTC
Red Hat Product Errata RHSA-2024:1092 0 None None None 2024-03-05 08:15:49 UTC
Red Hat Product Errata RHSA-2024:1134 0 None None None 2024-03-05 18:11:44 UTC
Red Hat Product Errata RHSA-2024:1318 0 None None None 2024-03-18 11:16:11 UTC
Red Hat Product Errata RHSA-2024:1319 0 None None None 2024-03-18 11:13:55 UTC
Red Hat Product Errata RHSA-2024:1324 0 None None None 2024-03-18 14:53:05 UTC
Red Hat Product Errata RHSA-2024:1325 0 None None None 2024-03-18 14:53:55 UTC

Description Pedro Sampaio 2023-11-29 08:23:46 UTC 
Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.0-M10
- Apache Tomcat 10.1.0-M1 through 10.1.15
- Apache Tomcat 9.0.0-M1 through 9.0.82
- Apache Tomcat 8.5.0 through 8.5.95

Description:

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 
11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 
9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly 
parse HTTP trailer headers. A trailer header that exceeded the header 
size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 
onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Credit:

Norihito Aimoto (OSSTech Corporation)  (finder)

References:

https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
http://www.openwall.com/lists/oss-security/2023/11/28/2
Comment 1 Pedro Sampaio 2023-11-29 08:24:18 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2252051]
Comment 8 Jean-frederic Clere 2024-01-09 13:29:15 UTC 
why High if CVE-2023-45648 was medium?
Comment 10 Jean-frederic Clere 2024-01-18 15:43:09 UTC 
JWS-6.0.0 is affected the fix is planned for 6.0.1.
Comment 12 errata-xmlrpc 2024-01-29 01:36:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0532 https://access.redhat.com/errata/RHSA-2024:0532
Comment 13 errata-xmlrpc 2024-01-29 08:20:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0539 https://access.redhat.com/errata/RHSA-2024:0539
Comment 14 Ben 2024-01-30 11:47:13 UTC 
Fix coming for Red Hat Enterprise Linux 9 as well, please?
Comment 18 errata-xmlrpc 2024-03-05 08:15:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1092 https://access.redhat.com/errata/RHSA-2024:1092
Comment 19 errata-xmlrpc 2024-03-05 18:11:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1134 https://access.redhat.com/errata/RHSA-2024:1134
Comment 20 errata-xmlrpc 2024-03-18 11:13:51 UTC 
This issue has been addressed in the following products:

  JWS 5.7.8

Via RHSA-2024:1319 https://access.redhat.com/errata/RHSA-2024:1319
Comment 21 errata-xmlrpc 2024-03-18 11:16:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2024:1318 https://access.redhat.com/errata/RHSA-2024:1318
Comment 22 errata-xmlrpc 2024-03-18 14:53:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
Comment 23 errata-xmlrpc 2024-03-18 14:53:50 UTC 
This issue has been addressed in the following products:

  JWS 6.0.1

Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325
Note You need to log in before you can comment on or make changes to this bug.