Re: Clarification on CVE-2023-46589
On 18/12/2023 09:50, purtrator wrote: There are many types of things one can do with HTTP Request Smuggling, is this an attack where header theft, cache poisoning or even response queue poisoning is possible? What are the possible damage scenarios? Assume that any attack enabled by request smuggling is possible. And finally I wonder what the restrictions of this issue are Does it work over HTTP/2 or HTTP/1.1 or both? HTTP/1.1 only. The use of separate streams in HTTP/2 for each request prevents this type of attack. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clarification on CVE-2023-46589
There are many types of things one can do with HTTP Request Smuggling, is this an attack where header theft, cache poisoning or even response queue poisoning is possible? What are the possible damage scenarios? And finally I wonder what the restrictions of this issue are Does it work over HTTP/2 or HTTP/1.1 or both? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clarification on CVE-2023-46589
On 14/12/2023 16:13, Benny Prange wrote: Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request smuggling, or other applications running behind the Tomcat? Tomcat does not provide reverse proxy configuration. This CVE applies when Tomcat is behind a reverse proxy. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thanks for the quick response. I'm afraid I still can't grasp it: From my understanding, the trailer header is used in HTTP responses. How can this lead to request smuggling? Trailer headers are valid for both requests and responses. I am not going to describe how to attack Tomcat using this CVE. Why is it important that there is a reverse proxy in front of the Tomcat, Request smuggling occurs when two different HTTP servers (in this case the reverse proxy and Tomcat) process an invalid request in different ways. This typically results in the invalid request incorrectly being treated as more than one request by one of those servers. or would the CVE also be applicable without a reverse proxy? No. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Clarification on CVE-2023-46589
Am Do., 14. Dez. 2023 um 16:51 Uhr schrieb Mark Thomas : > On 14/12/2023 15:33, Benny Prange wrote: > > Hi all, > > > > I am having trouble understanding the description of CVE-2023-46589. > > Does this CVE affect scenarios where the Apache Tomcat is the reverse > > proxy, or or when the Apache Tomcat is running behind a reverse proxy? > > Is the Tomcat vulnerable to request smuggling, or other applications > > running behind the Tomcat? > > Tomcat does not provide reverse proxy configuration. > > This CVE applies when Tomcat is behind a reverse proxy. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Thanks for the quick response. I'm afraid I still can't grasp it: >From my understanding, the trailer header is used in HTTP responses. How can this lead to request smuggling? Why is it important that there is a reverse proxy in front of the Tomcat, or would the CVE also be applicable without a reverse proxy? Thanks a lot Benny
Re: Clarification on CVE-2023-46589
On 14/12/2023 15:33, Benny Prange wrote: Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request smuggling, or other applications running behind the Tomcat? Tomcat does not provide reverse proxy configuration. This CVE applies when Tomcat is behind a reverse proxy. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Clarification on CVE-2023-46589
Hi all, I am having trouble understanding the description of CVE-2023-46589. Does this CVE affect scenarios where the Apache Tomcat is the reverse proxy, or or when the Apache Tomcat is running behind a reverse proxy? Is the Tomcat vulnerable to request smuggling, or other applications running behind the Tomcat? Thanks and regards Benny