You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by James Boggs <jb...@rightdirectiontech.com.INVALID> on 2023/07/05 16:51:08 UTC
Apache Tomcat request smuggling in 9.0.68?
Hi,
We have Apache Tomcat 0.0.73 installed on a Windows Server 2019 o/s which is has a Request Smuggling vulnerability being reported in a BURP scan.
Here Tomcat documentation reports Request Smuggling has been fixed in 9.0.68, so we don't understand why it would still be reported using 9.0.73.
Any insights on this?
We have been told the proxy in use only supports HTTP1, so HTTP2 is not an option.
V/r,
James Boggs | Senior DBA/SA | Mobile: 571-337-0535
"Trust, Integrity, Loyalty to Our Customers, Employees and Partner"
VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SDB | MBE/DBE (MD) | SWaM (VA)
ISO 9001:2015|ISO/IEC 20000-1:2018|ISO/IEC 27001:2013|
CMMI-DEV Level 3 Appraised |
GSA Schedule Holder: IT-70#:GS35F237AA
GSA 8(a) STARS III#: 47QTCB21D0030
CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
Seaport-NXG Contract#: N00178-19-D-8420
eFAST Contract#: DTFAWA-13-A-00074
[cid:image001.png@01D9AF3F.5DD6D0E0]
[cid:image002.png@01D9AF3F.5DD6D0E0]
Fax: 410-814-7539 |jboggs@rightdirectiontech.com<ma...@rightdirectiontech.com>
RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840 | Baltimore, MD 21202 |
www.rightdirectiontech.com<http://www.rightdirectiontech.com/>
Please Go Green! Please do not print this e-mail unless necessary.
Notice of Confidentiality: This e-mail and any attachments thereto, are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy of any e-mail and printout thereof.
Re: Apache Tomcat request smuggling in 9.0.68?
Posted by Mark Thomas <ma...@apache.org>.
On 05/07/2023 20:15, James Boggs wrote:
> Hello,
>
> I was sent this information, I hope this meets your expectations.
Thanks. It does.
The request headers do not contain an invalid Content-Length header so
CVE-2022-42252 is not applicable to this situation.
The requests are valid HTTP requests (unless I missed something) so
something would have to be severely broken for there to be request
smuggling.
I have tested the request on a clean build of Tomcat 9.0.73 and Tomcat
correctly redirects to https://rplans.army.mil/ for both requests.
You may want to look at the proxy rather than Tomcat.
To figure out what is going on you are going to need to look at the
network traces for both the client<->proxy link and the proxy<->tomcat link.
Mark
>
> -----------------------------------------------------------------------------------------
> Request 1
> GET / HTTP/1.1
> Host: rplans.army.mil
> Accept-Encoding: gzip, deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
> Accept-Language: en-US;q=0.9,en;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
> Connection: keep-alive
> Cache-Control: max-age=0
> Upgrade-Insecure-Requests: 1
> Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
> Sec-CH-UA-Platform: Windows
> Sec-CH-UA-Mobile: ?0
> Content-Length: 61
> Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z; ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682; _ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
>
> GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
> X: kyhzap9frc
> Response 1
> HTTP/1.1 301 Moved Permanently
> Server: AkamaiGHost
> Content-Length: 0
> Location: https://rplans.army.mil/
> Date: Wed, 28 Jun 2023 01:37:07 GMT
> Connection: Keep-Alive
> Request 2
> GET / HTTP/1.1
> Host: rplans.army.mil
> Accept-Encoding: gzip, deflate
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
> Accept-Language: en-US;q=0.9,en;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
> Connection: keep-alive
> Cache-Control: max-age=0
> Upgrade-Insecure-Requests: 1
> Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
> Sec-CH-UA-Platform: Windows
> Sec-CH-UA-Mobile: ?0
> Content-Length: 61
> Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z; ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682; _ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
>
> GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
> X: kyhzap9frc
> Response 2
> HTTP/1.1 301 Moved Permanently
> Server: AkamaiGHost
> Content-Length: 0
> Location: https://rplans.army.mil/j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp
> Date: Wed, 28 Jun 2023 01:37:09 GMT
> Connection: Keep-Alive
> -------------------------------------------------------------------------------------------------------------------------
>
> V/r,
>
>
> James Boggs | Senior DBA/SA | Mobile: 571-337-0535
> “Trust, Integrity, Loyalty to Our Customers, Employees and Partner”
> VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SDB | MBE/DBE (MD) | SWaM (VA)
> ISO 9001:2015|ISO/IEC 20000-1:2018|ISO/IEC 27001:2013|
> CMMI-DEV Level 3 Appraised |
> GSA Schedule Holder: IT-70#:GS35F237AA
> GSA 8(a) STARS III#: 47QTCB21D0030
> CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
> CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
> Seaport-NXG Contract#: N00178-19-D-8420
> eFAST Contract#: DTFAWA-13-A-00074
>
>
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Wednesday, July 5, 2023 12:59 PM
> To: users@tomcat.apache.org
> Subject: Re: Apache Tomcat request smuggling in 9.0.68?
>
> Without knowing which vulnerability is being tested for and how the vulnerability is being tested for I don't think anyone here will be able to help.
>
> A (cleartext) tcpdump of the associated request(s) and response(s) would also be helpful.
>
> Mark
>
>
> On 05/07/2023 17:51, James Boggs wrote:
>> Hi,
>>
>> We have Apache Tomcat 0.0.73 installed on a Windows Server 2019 o/s
>> which is has a Request Smuggling vulnerability being reported in a
>> BURP scan.
>>
>> Here Tomcat documentation reports Request Smuggling has been fixed in
>> 9.0.68, so we don’t understand why it would still be reported using 9.0.73.
>>
>> Any insights on this?
>>
>> We have been told the proxy in use only supports HTTP1, so HTTP2 is
>> not an option.
>>
>> V/r,
>>
>> James Boggs | Senior DBA/SA | Mobile: 571-337-0535 /“Trust, Integrity,
>> Loyalty to Our Customers, Employees and Partner”/ */VA Verified
>> (SDVOSB)/* | */SBA Certified 8(a)/* | */SB/* | */SDB/* | */MBE/DBE
>> (MD)/* | */SWaM (VA)/*
>> I*SO* 9001:2015|*ISO/IEC* 20000-1:2018|*ISO/IEC* 27001:2013|
>> *CMMI-DEV* Level 3 Appraised |
>>
>> GSA Schedule Holder: IT-70#:GS35F237AA
>>
>> GSA 8(a) STARS III#: 47QTCB21D0030
>>
>> CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
>>
>> CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
>>
>> Seaport-NXG Contract#: N00178-19-D-8420
>>
>> eFAST Contract#: DTFAWA-13-A-00074
>>
>> Fax: 410-814-7539 _|jboggs@rightdirectiontech.com
>> <ma...@rightdirectiontech.com>_
>>
>> RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840
>> | Baltimore, MD 21202|
>>
>> www.rightdirectiontech.com <http://www.rightdirectiontech.com/>
>>
>> Please Go Green! Please do not print this e-mail unless necessary.
>>
>>
>> Notice of Confidentiality: This e-mail and any attachments thereto,
>> are intended only for use by the addressee(s) named herein and may
>> contain legally privileged and/or confidential information. If you are
>> not the intended recipient of this e-mail (or the person responsible
>> for delivering this document to the intended recipient), you are
>> hereby notified that any dissemination, distribution, printing or
>> copying of this e-mail, and any attachment thereto, is strictly
>> prohibited. If you have received this e-mail in error, please respond
>> to the individual sending the message, and permanently delete the
>> original and any copy of any e-mail and printout thereof.
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can We Disable Chunked Encoding?
Posted by "Terence M. Bandoian" <te...@tmbsw.com>.
On 7/24/2023 10:09 AM, Eric Robinson wrote:
> My apologies. I wasn't aware that something else besides the subject line identifies a thread. I thought changing the subject line *IS* starting a new thread. Thanks for letting me know. For my own edification, what does the list look for in a message to identify the thread?
Check the message source for headers identifying the thread.
-Terence Bandoian
>> -----Original Message-----
>> From: Mark Thomas<ma...@apache.org>
>> Sent: Thursday, July 6, 2023 3:13 AM
>> To:users@tomcat.apache.org
>> Subject: Re: Can We Disable Chunked Encoding?
>>
>> Please don't hijack threads by replying to a previous message and changing
>> the subject. Start a new thread by sending a new message to the list.
>>
>> You also need to provide some version information.
>>
>> Mark
>>
>>
>> On 06/07/2023 00:36, Eric Robinson wrote:
>>> We've been seeing problems with failed requests where the response comes
>> back with duplicate chunked encoding headers:
>>> [Response]
>>>
>>> HTTP/1.1 200
>>> Strict-Transport-Security: max-age=86400; includeSubDomains;
>>> Cache-Control: no-cache,no-store
>>> isAuthenticated: true
>>> X-FRAME-OPTIONS: SAMEORIGIN
>>> Transfer-Encoding: chunked <<<<<<<<<<<<<
>>> X-XSS-Protection: 1; mode=block
>>> vary: accept-encoding
>>> Content-Encoding: gzip
>>> Content-Type: text/xml;charset=ISO-8859-1
>>> Transfer-Encoding: chunked <<<<<<<<<<<<<< Duplicate
>>> Date: Wed, 05 Jul 2023 17:22:11 GMT
>>>
>>> This is a violation of RFC 7230, so our nginx proxy is dropping the request
>> and returning a 502 bad gateway error. I've spoken to F5 about this, and
>> there's no way to make nginx ignore this violation. Unfortunately, the app is a
>> canned product, and we don't have access to the code.
>>> Is there a way to disable that behavior in Tomcat?
>>>
>>> -Eric
>>>
>>>
>>> Disclaimer : This email and any files transmitted with it are confidential and
>> intended solely for intended recipients. If you are not the named addressee
>> you should not disseminate, distribute, copy or alter this email. Any views or
>> opinions presented in this email are solely those of the author and might not
>> represent those of Physician Select Management. Warning: Although
>> Physician Select Management has taken reasonable precautions to ensure no
>> viruses are present in this email, the company cannot accept responsibility for
>> any loss or damage arising from the use of this email or attachments.
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail:users-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail:users-help@tomcat.apache.org
> Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Can We Disable Chunked Encoding?
Posted by Eric Robinson <er...@psmnv.com>.
My apologies. I wasn't aware that something else besides the subject line identifies a thread. I thought changing the subject line *IS* starting a new thread. Thanks for letting me know. For my own edification, what does the list look for in a message to identify the thread?
> -----Original Message-----
> From: Mark Thomas <ma...@apache.org>
> Sent: Thursday, July 6, 2023 3:13 AM
> To: users@tomcat.apache.org
> Subject: Re: Can We Disable Chunked Encoding?
>
> Please don't hijack threads by replying to a previous message and changing
> the subject. Start a new thread by sending a new message to the list.
>
> You also need to provide some version information.
>
> Mark
>
>
> On 06/07/2023 00:36, Eric Robinson wrote:
> > We've been seeing problems with failed requests where the response comes
> back with duplicate chunked encoding headers:
> >
> > [Response]
> >
> > HTTP/1.1 200
> > Strict-Transport-Security: max-age=86400; includeSubDomains;
> > Cache-Control: no-cache,no-store
> > isAuthenticated: true
> > X-FRAME-OPTIONS: SAMEORIGIN
> > Transfer-Encoding: chunked <<<<<<<<<<<<<
> > X-XSS-Protection: 1; mode=block
> > vary: accept-encoding
> > Content-Encoding: gzip
> > Content-Type: text/xml;charset=ISO-8859-1
> > Transfer-Encoding: chunked <<<<<<<<<<<<<< Duplicate
> > Date: Wed, 05 Jul 2023 17:22:11 GMT
> >
> > This is a violation of RFC 7230, so our nginx proxy is dropping the request
> and returning a 502 bad gateway error. I've spoken to F5 about this, and
> there's no way to make nginx ignore this violation. Unfortunately, the app is a
> canned product, and we don't have access to the code.
> >
> > Is there a way to disable that behavior in Tomcat?
> >
> > -Eric
> >
> >
> > Disclaimer : This email and any files transmitted with it are confidential and
> intended solely for intended recipients. If you are not the named addressee
> you should not disseminate, distribute, copy or alter this email. Any views or
> opinions presented in this email are solely those of the author and might not
> represent those of Physician Select Management. Warning: Although
> Physician Select Management has taken reasonable precautions to ensure no
> viruses are present in this email, the company cannot accept responsibility for
> any loss or damage arising from the use of this email or attachments.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Can We Disable Chunked Encoding?
Posted by Mark Thomas <ma...@apache.org>.
Please don't hijack threads by replying to a previous message and
changing the subject. Start a new thread by sending a new message to the
list.
You also need to provide some version information.
Mark
On 06/07/2023 00:36, Eric Robinson wrote:
> We've been seeing problems with failed requests where the response comes back with duplicate chunked encoding headers:
>
> [Response]
>
> HTTP/1.1 200
> Strict-Transport-Security: max-age=86400; includeSubDomains;
> Cache-Control: no-cache,no-store
> isAuthenticated: true
> X-FRAME-OPTIONS: SAMEORIGIN
> Transfer-Encoding: chunked <<<<<<<<<<<<<
> X-XSS-Protection: 1; mode=block
> vary: accept-encoding
> Content-Encoding: gzip
> Content-Type: text/xml;charset=ISO-8859-1
> Transfer-Encoding: chunked <<<<<<<<<<<<<< Duplicate
> Date: Wed, 05 Jul 2023 17:22:11 GMT
>
> This is a violation of RFC 7230, so our nginx proxy is dropping the request and returning a 502 bad gateway error. I've spoken to F5 about this, and there's no way to make nginx ignore this violation. Unfortunately, the app is a canned product, and we don't have access to the code.
>
> Is there a way to disable that behavior in Tomcat?
>
> -Eric
>
>
> Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Can We Disable Chunked Encoding?
Posted by Eric Robinson <er...@psmnv.com>.
We've been seeing problems with failed requests where the response comes back with duplicate chunked encoding headers:
[Response]
HTTP/1.1 200
Strict-Transport-Security: max-age=86400; includeSubDomains;
Cache-Control: no-cache,no-store
isAuthenticated: true
X-FRAME-OPTIONS: SAMEORIGIN
Transfer-Encoding: chunked <<<<<<<<<<<<<
X-XSS-Protection: 1; mode=block
vary: accept-encoding
Content-Encoding: gzip
Content-Type: text/xml;charset=ISO-8859-1
Transfer-Encoding: chunked <<<<<<<<<<<<<< Duplicate
Date: Wed, 05 Jul 2023 17:22:11 GMT
This is a violation of RFC 7230, so our nginx proxy is dropping the request and returning a 502 bad gateway error. I've spoken to F5 about this, and there's no way to make nginx ignore this violation. Unfortunately, the app is a canned product, and we don't have access to the code.
Is there a way to disable that behavior in Tomcat?
-Eric
Disclaimer : This email and any files transmitted with it are confidential and intended solely for intended recipients. If you are not the named addressee you should not disseminate, distribute, copy or alter this email. Any views or opinions presented in this email are solely those of the author and might not represent those of Physician Select Management. Warning: Although Physician Select Management has taken reasonable precautions to ensure no viruses are present in this email, the company cannot accept responsibility for any loss or damage arising from the use of this email or attachments.
RE: Apache Tomcat request smuggling in 9.0.68?
Posted by James Boggs <jb...@rightdirectiontech.com.INVALID>.
Hello,
I was sent this information, I hope this meets your expectations.
-----------------------------------------------------------------------------------------
Request 1
GET / HTTP/1.1
Host: rplans.army.mil
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 61
Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z; ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682; _ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
X: kyhzap9frc
Response 1
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://rplans.army.mil/
Date: Wed, 28 Jun 2023 01:37:07 GMT
Connection: Keep-Alive
Request 2
GET / HTTP/1.1
Host: rplans.army.mil
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="113", "Chromium";v="113"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 61
Cookie: ai_user=zah6PVBAYp+ILUaHTr/CZn|2023-06-27T16:40:26.575Z; ai_session=4yP6RgcdmaqsiFQJVdym6I|1687884026682|1687884026682; _ga=GA1.2.1707569457.1687904638; _gid=GA1.2.1713949416.1687904638; _gat=1
GET /j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp HTTP/1.1
X: kyhzap9frc
Response 2
HTTP/1.1 301 Moved Permanently
Server: AkamaiGHost
Content-Length: 0
Location: https://rplans.army.mil/j6pnv4c5dp?j6pnv4c5dp=j6pnv4c5dp
Date: Wed, 28 Jun 2023 01:37:09 GMT
Connection: Keep-Alive
-------------------------------------------------------------------------------------------------------------------------
V/r,
James Boggs | Senior DBA/SA | Mobile: 571-337-0535
“Trust, Integrity, Loyalty to Our Customers, Employees and Partner”
VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SDB | MBE/DBE (MD) | SWaM (VA)
ISO 9001:2015|ISO/IEC 20000-1:2018|ISO/IEC 27001:2013|
CMMI-DEV Level 3 Appraised |
GSA Schedule Holder: IT-70#:GS35F237AA
GSA 8(a) STARS III#: 47QTCB21D0030
CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
Seaport-NXG Contract#: N00178-19-D-8420
eFAST Contract#: DTFAWA-13-A-00074
-----Original Message-----
From: Mark Thomas <ma...@apache.org>
Sent: Wednesday, July 5, 2023 12:59 PM
To: users@tomcat.apache.org
Subject: Re: Apache Tomcat request smuggling in 9.0.68?
Without knowing which vulnerability is being tested for and how the vulnerability is being tested for I don't think anyone here will be able to help.
A (cleartext) tcpdump of the associated request(s) and response(s) would also be helpful.
Mark
On 05/07/2023 17:51, James Boggs wrote:
> Hi,
>
> We have Apache Tomcat 0.0.73 installed on a Windows Server 2019 o/s
> which is has a Request Smuggling vulnerability being reported in a
> BURP scan.
>
> Here Tomcat documentation reports Request Smuggling has been fixed in
> 9.0.68, so we don’t understand why it would still be reported using 9.0.73.
>
> Any insights on this?
>
> We have been told the proxy in use only supports HTTP1, so HTTP2 is
> not an option.
>
> V/r,
>
> James Boggs | Senior DBA/SA | Mobile: 571-337-0535 /“Trust, Integrity,
> Loyalty to Our Customers, Employees and Partner”/ */VA Verified
> (SDVOSB)/* | */SBA Certified 8(a)/* | */SB/* | */SDB/* | */MBE/DBE
> (MD)/* | */SWaM (VA)/*
> I*SO* 9001:2015|*ISO/IEC* 20000-1:2018|*ISO/IEC* 27001:2013|
> *CMMI-DEV* Level 3 Appraised |
>
> GSA Schedule Holder: IT-70#:GS35F237AA
>
> GSA 8(a) STARS III#: 47QTCB21D0030
>
> CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
>
> CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
>
> Seaport-NXG Contract#: N00178-19-D-8420
>
> eFAST Contract#: DTFAWA-13-A-00074
>
> Fax: 410-814-7539 _|jboggs@rightdirectiontech.com
> <ma...@rightdirectiontech.com>_
>
> RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840
> | Baltimore, MD 21202|
>
> www.rightdirectiontech.com <http://www.rightdirectiontech.com/>
>
> Please Go Green! Please do not print this e-mail unless necessary.
>
>
> Notice of Confidentiality: This e-mail and any attachments thereto,
> are intended only for use by the addressee(s) named herein and may
> contain legally privileged and/or confidential information. If you are
> not the intended recipient of this e-mail (or the person responsible
> for delivering this document to the intended recipient), you are
> hereby notified that any dissemination, distribution, printing or
> copying of this e-mail, and any attachment thereto, is strictly
> prohibited. If you have received this e-mail in error, please respond
> to the individual sending the message, and permanently delete the
> original and any copy of any e-mail and printout thereof.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Apache Tomcat request smuggling in 9.0.68?
Posted by Mark Thomas <ma...@apache.org>.
Without knowing which vulnerability is being tested for and how the
vulnerability is being tested for I don't think anyone here will be able
to help.
A (cleartext) tcpdump of the associated request(s) and response(s) would
also be helpful.
Mark
On 05/07/2023 17:51, James Boggs wrote:
> Hi,
>
> We have Apache Tomcat 0.0.73 installed on a Windows Server 2019 o/s
> which is has a Request Smuggling vulnerability being reported in a BURP
> scan.
>
> Here Tomcat documentation reports Request Smuggling has been fixed in
> 9.0.68, so we don’t understand why it would still be reported using 9.0.73.
>
> Any insights on this?
>
> We have been told the proxy in use only supports HTTP1, so HTTP2 is not
> an option.
>
> V/r,
>
> James Boggs | Senior DBA/SA | Mobile: 571-337-0535
> /“Trust, Integrity, Loyalty to Our Customers, Employees and Partner”/
> */VA Verified (SDVOSB)/* | */SBA Certified 8(a)/* | */SB/* | */SDB/* |
> */MBE/DBE (MD)/* | */SWaM (VA)/*
> I*SO* 9001:2015|*ISO/IEC* 20000-1:2018|*ISO/IEC* 27001:2013|
> *CMMI-DEV* Level 3 Appraised |
>
> GSA Schedule Holder: IT-70#:GS35F237AA
>
> GSA 8(a) STARS III#: 47QTCB21D0030
>
> CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
>
> CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
>
> Seaport-NXG Contract#: N00178-19-D-8420
>
> eFAST Contract#: DTFAWA-13-A-00074
>
> Fax: 410-814-7539 _|jboggs@rightdirectiontech.com
> <ma...@rightdirectiontech.com>_
>
> RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840 |
> Baltimore, MD 21202|
>
> www.rightdirectiontech.com <http://www.rightdirectiontech.com/>
>
> Please Go Green! Please do not print this e-mail unless necessary.
>
>
> Notice of Confidentiality: This e-mail and any attachments thereto, are
> intended only for use by the addressee(s) named herein and may contain
> legally privileged and/or confidential information. If you are not the
> intended recipient of this e-mail (or the person responsible for
> delivering this document to the intended recipient), you are hereby
> notified that any dissemination, distribution, printing or copying of
> this e-mail, and any attachment thereto, is strictly prohibited. If you
> have received this e-mail in error, please respond to the individual
> sending the message, and permanently delete the original and any copy of
> any e-mail and printout thereof.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org