Re: [SECURITY][UPDATE] CVE-2022-42252 Apache Tomcat - Request Smuggling

[Christopher Schultz <ch...@christopherschultz.net>]

All,

There is a typo in this announcement.

The affected versions of Tomcat8.5 are 8.5.0 to 8.0.82, not 8.5.52.

Thanks,
-chris

On 10/31/22 12:46, Mark Thomas wrote:
> CVE-2022-42252 Apache Tomcat - Request Smuggling
> 
> Severity: Low
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0
> Apache Tomcat 10.0.0-M1 to 10.0.26
> Apache Tomcat 9.0.0-M1 to 9.0.67
> Apache Tomcat 8.5.0 to 8.5.52
> 
> Description:
> If Tomcat was configured to ignore invalid HTTP headers via setting
> rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did 
> not reject a request containing an invalid Content-Length header making 
> a request smuggling attack  possible if Tomcat was located behind a 
> reverse proxy that also failed to reject the request with the invalid 
> header.
> 
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Ensure rejectIllegalHeader is set to true
> - Upgrade to Apache Tomcat 10.1.1 or later
> - Upgrade to Apache Tomcat 10.0.27 or later
> - Upgrade to Apache Tomcat 9.0.68 or later
> - Upgrade to Apache Tomcat 8.5.83 or later
> 
> Credit:
> Thanks to Sam Shahsavar who discovered this issue and reported it to the 
> Apache Tomcat security team.
> 
> History:
> 2022-10-31 Original advisory
> 
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org