Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASTOMCAT8.5-2023-012

Related Vulnerabilities: CVE-2019-17569   CVE-2020-1935   CVE-2020-1938  

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569) A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability. (CVE-2020-1935)

Source

ALASTOMCAT8.5-2023-012

Amazon Linux 2 Security Advisory: ALASTOMCAT8.5-2023-012
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:58 Pacific
Severity: Important
Issue Overview:

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569)

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability. (CVE-2020-1935)


Affected Packages:

tomcat


Issue Correction:
Run yum update tomcat to update your system.

New Packages:
noarch:
    tomcat-8.5.51-1.amzn2.noarch
    tomcat-admin-webapps-8.5.51-1.amzn2.noarch
    tomcat-docs-webapp-8.5.51-1.amzn2.noarch
    tomcat-javadoc-8.5.51-1.amzn2.noarch
    tomcat-jsvc-8.5.51-1.amzn2.noarch
    tomcat-jsp-2.3-api-8.5.51-1.amzn2.noarch
    tomcat-lib-8.5.51-1.amzn2.noarch
    tomcat-servlet-3.1-api-8.5.51-1.amzn2.noarch
    tomcat-el-3.0-api-8.5.51-1.amzn2.noarch
    tomcat-webapps-8.5.51-1.amzn2.noarch

src:
    tomcat-8.5.51-1.amzn2.src

Additional References

Red Hat: CVE-2019-17569, CVE-2020-1935, CVE-2020-1938

Mitre: CVE-2019-17569, CVE-2020-1935, CVE-2020-1938

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started