Date: Mon, 31 Oct 2022 16:53:36 +0000 From: Mark Thomas <markt@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2022-42252: Apache Tomcat - Request Smuggling CVE-2022-42252 Apache Tomcat - Request Smuggling Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.1.0-M1 to 10.1.0 Apache Tomcat 10.0.0-M1 to 10.0.26 Apache Tomcat 9.0.0-M1 to 9.0.67 Apache Tomcat 8.5.0 to 8.5.52 Description: If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. Mitigation: Users of the affected versions should apply one of the following mitigations: - Ensure rejectIllegalHeader is set to true - Upgrade to Apache Tomcat 10.1.1 or later - Upgrade to Apache Tomcat 10.0.27 or later - Upgrade to Apache Tomcat 9.0.68 or later - Upgrade to Apache Tomcat 8.5.83 or later Credit: Thanks to Sam Shahsavar who discovered this issue and reported it to the Apache Tomcat security team. History: 2022-10-31 Original advisory References:  https://tomcat.apache.org/security-10.html  https://tomcat.apache.org/security-9.html  https://tomcat.apache.org/security-8.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.