https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Bug ID: 1806835 Summary: CVE-2020-1935 tomcat: HTTP Request Smuggling Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: jwon@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gzaronik@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kbasil@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mburns@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, tom.jenkinson@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
It affects the version of Apache Tomcat 9 before 9.0.31, Tomcat 8 before 8.5.51, and Tomcat 7 before 7.0.100.
Upstream Patches: https://github.com/apache/tomcat/commit/8bfb0ff / tomcat9 https://github.com/apache/tomcat/commit/8fbe2e9 / tomcat8 https://github.com/apache/tomcat/commit/702bf15 / tomcat7
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #1 from Ted (Jong Seok) Won jwon@redhat.com --- Acknowledgments:
Name: @ZeddYu (Apache Tomcat Security Team)
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #2 from Ted (Jong Seok) Won jwon@redhat.com --- External References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1806837
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Doc Text *updated* by Ted (Jong Seok) Won jwon@redhat.com --- The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
It affects the version of Apache Tomcat 9 from 9.0.0.M1 to 9.0.30, Tomcat from 8 8.5.0 to 8.5.50, and Tomcat 7 7.0.0 to 7.0.99.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Doc Type|--- |If docs needed, set a value
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-1935 tomcat: HTTP |CVE-2020-1935 tomcat: |Request Smuggling |Mishandling of | |Transfer-Encoding header | |allows for HTTP request | |smuggling
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A flaw was found in Apache Tomcat versions 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #6 from Anten Skrabec askrabec@redhat.com --- Statement:
OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will released for it.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Mauro Matteo Cascella mcascell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1814315, 1814316
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #8 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #9 from Mauro Matteo Cascella mcascell@redhat.com --- Mitigation:
Disabling keep-alive will prevent Tomcat from reading multiple requests from a single TCP connection, and should also prevent Tomcat from handling any request that was smuggled through the proxy in front of it. This can be done via the `maxKeepAliveRequests` configuration setting of the HTTP Connector. Apache httpd is often used as reverse proxy to enhance the performance of high-load environments. When running Tomcat behind Apache httpd, consider the `KeepAlive Off` configuration setting.
As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:
RewriteEngine on RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #10 from Mauro Matteo Cascella mcascell@redhat.com --- Mitigation:
Disabling keep-alive will prevent Tomcat from reading multiple requests from a single TCP connection, and should also prevent Tomcat from handling any request that was smuggled through the proxy in front of it. This can be done via the `maxKeepAliveRequests` configuration setting of the HTTP Connector.
Apache httpd is often used as reverse proxy to enhance the performance of high-load environments. When running Tomcat behind Apache httpd, consider the `disablereuse Off` mod_proxy configuration setting, which can be used to prevent Tomcat from keeping the connection between himself and httpd.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #11 from Mauro Matteo Cascella mcascell@redhat.com --- Mitigation:
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1521
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8
Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:1520
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-04-21 16:31:48
--- Comment #14 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-1935
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #15 from Yadnyawalk Tale ytale@redhat.com --- Statement:
OpenDaylight in Red Hat OpenStack 10 & 13 was in technical preview status, because of this no fixes will be released for it.
In Red Hat Satellite 6, Candlepin is using Tomcat to provide a REST API, and has been found to be vulnerable to the flaw. However, it is currently believed that no useful attacks can be carried over.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #16 from Yadnyawalk Tale ytale@redhat.com --- Mitigation:
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A way to mitigate Red Hat Satellite case is, by denying TCP requests that are not originating from the localhost or any IP belonging to the Satellite.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Yadnyawalk Tale ytale@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|16 |updated
--- Comment #16 has been edited ---
Mitigation:
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
A way to mitigate Red Hat Satellite case is, by denying TCP requests that are not originating from the localhost or any IP belonging to the Satellite.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Rodrigo A B Freire rfreire@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rfreire@redhat.com Flags| |needinfo?(jwon@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jwon@redhat.com) |needinfo?(rfreire@redhat.co | |m)
--- Comment #18 from Ted (Jong Seok) Won jwon@redhat.com --- Hi Rodrigo,
As I understand Kevin and the customer want a JBCS fix for CVE-2020-1934, not a JWS, JWS-1588 (CVE-2020-1935). I asked Kevin for his confirmation. https://issues.redhat.com/browse/JWS-1588?focusedCommentId=14110175&page...
Let me reasses the flaw and will update you and Kevin.
Thanks, Ted
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jwon@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #22 from Yadnyawalk Tale ytale@redhat.com --- Mitigation:
Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite.
For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Runtimes Spring Boot 2.1.13
Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2367
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Daniel Chong dchong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dchong@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6
Via RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3303
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3303
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2020:3305 https://access.redhat.com/errata/RHSA-2020:3305
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3305
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Doc Text *updated* by Michael Kaplan mkaplan@redhat.com --- A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(jwon@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jwon@redhat.com) |
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:5020 https://access.redhat.com/errata/RHSA-2020:5020
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:5020
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Coty Sutherland csutherl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1930277 Depends On| |1930276
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
Coty Sutherland csutherl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1930277 Depends On| |1930276
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #36 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.6 Extended Update Support
Via RHSA-2021:0882 https://access.redhat.com/errata/RHSA-2021:0882
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:0882
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7.7 Extended Update Support
Via RHSA-2021:1030 https://access.redhat.com/errata/RHSA-2021:1030
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
msiddiqu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1946546
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
--- Comment #38 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1806835
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
java-sig-commits@lists.fedoraproject.org