You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2022/10/31 16:46:25 UTC
[SECURITY] CVE-2022-42252 Apache Tomcat - Request Smuggling
CVE-2022-42252 Apache Tomcat - Request Smuggling
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0
Apache Tomcat 10.0.0-M1 to 10.0.26
Apache Tomcat 9.0.0-M1 to 9.0.67
Apache Tomcat 8.5.0 to 8.5.52
Description:
If Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did
not reject a request containing an invalid Content-Length header making
a request smuggling attack possible if Tomcat was located behind a
reverse proxy that also failed to reject the request with the invalid
header.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Ensure rejectIllegalHeader is set to true
- Upgrade to Apache Tomcat 10.1.1 or later
- Upgrade to Apache Tomcat 10.0.27 or later
- Upgrade to Apache Tomcat 9.0.68 or later
- Upgrade to Apache Tomcat 8.5.83 or later
Credit:
Thanks to Sam Shahsavar who discovered this issue and reported it to the
Apache Tomcat security team.
History:
2022-10-31 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
Re: [SECURITY][UPDATE] CVE-2022-42252 Apache Tomcat - Request Smuggling
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
There is a typo in this announcement.
The affected versions of Tomcat8.5 are 8.5.0 to 8.0.82, not 8.5.52.
Thanks,
-chris
On 10/31/22 12:46, Mark Thomas wrote:
> CVE-2022-42252 Apache Tomcat - Request Smuggling
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0
> Apache Tomcat 10.0.0-M1 to 10.0.26
> Apache Tomcat 9.0.0-M1 to 9.0.67
> Apache Tomcat 8.5.0 to 8.5.52
>
> Description:
> If Tomcat was configured to ignore invalid HTTP headers via setting
> rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did
> not reject a request containing an invalid Content-Length header making
> a request smuggling attackĀ possible if Tomcat was located behind a
> reverse proxy that also failed to reject the request with the invalid
> header.
>
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Ensure rejectIllegalHeader is set to true
> - Upgrade to Apache Tomcat 10.1.1 or later
> - Upgrade to Apache Tomcat 10.0.27 or later
> - Upgrade to Apache Tomcat 9.0.68 or later
> - Upgrade to Apache Tomcat 8.5.83 or later
>
> Credit:
> Thanks to Sam Shahsavar who discovered this issue and reported it to the
> Apache Tomcat security team.
>
> History:
> 2022-10-31 Original advisory
>
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY][UPDATE] CVE-2022-42252 Apache Tomcat - Request Smuggling
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
There is a typo in this announcement.
The affected versions of Tomcat8.5 are 8.5.0 to 8.0.82, not 8.5.52.
Thanks,
-chris
On 10/31/22 12:46, Mark Thomas wrote:
> CVE-2022-42252 Apache Tomcat - Request Smuggling
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.1.0-M1 to 10.1.0
> Apache Tomcat 10.0.0-M1 to 10.0.26
> Apache Tomcat 9.0.0-M1 to 9.0.67
> Apache Tomcat 8.5.0 to 8.5.52
>
> Description:
> If Tomcat was configured to ignore invalid HTTP headers via setting
> rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did
> not reject a request containing an invalid Content-Length header making
> a request smuggling attackĀ possible if Tomcat was located behind a
> reverse proxy that also failed to reject the request with the invalid
> header.
>
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Ensure rejectIllegalHeader is set to true
> - Upgrade to Apache Tomcat 10.1.1 or later
> - Upgrade to Apache Tomcat 10.0.27 or later
> - Upgrade to Apache Tomcat 9.0.68 or later
> - Upgrade to Apache Tomcat 8.5.83 or later
>
> Credit:
> Thanks to Sam Shahsavar who discovered this issue and reported it to the
> Apache Tomcat security team.
>
> History:
> 2022-10-31 Original advisory
>
> References:
> [1] https://tomcat.apache.org/security-10.html
> [2] https://tomcat.apache.org/security-9.html
> [3] https://tomcat.apache.org/security-8.html
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org