https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #9 from Mauro Matteo Cascella mcascell@redhat.com --- Mitigation:
Disabling keep-alive will prevent Tomcat from reading multiple requests from a single TCP connection, and should also prevent Tomcat from handling any request that was smuggled through the proxy in front of it. This can be done via the `maxKeepAliveRequests` configuration setting of the HTTP Connector. Apache httpd is often used as reverse proxy to enhance the performance of high-load environments. When running Tomcat behind Apache httpd, consider the `KeepAlive Off` configuration setting.
As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:
RewriteEngine on RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.