https://bz.apache.org/bugzilla/show_bug.cgi?id=69826
Bug ID: 69826
Summary: The compression logic only checks for "gzip" and "br"
encodings but misses other compression formats,
potentially causing double compression. This wastes
CPU resources and may increase response size due to
compression overhead.
Product: Tomcat 11
Version: 11.0.0
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -------
Created attachment 40107
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40107&action=edit
a full report about this bug
# **Security Vulnerability Report: Incomplete Content-Encoding Check**
**Status:** Open
**Severity:** Medium
**Component:** `org.apache.coyote.CompressionConfig`
**Bug ID:** SEC-2023-COMPRESSION-ENCODING-002
## Summary
The compression logic only checks for "gzip" and "br" encodings but misses
other compression formats, potentially causing double compression. This wastes
CPU resources and may increase response size due to compression overhead.
## Technical Details
**Vulnerable Method:** `useCompression()` in CompressionConfig class
**Issue:** Incomplete Content-Encoding header validation misses common
compression formats like deflate, compress, zstd, and x-gzip
**Impact:** Performance degradation, unnecessary CPU usage, and potential
client compatibility issues
## Affected Code
```java
if (tokens.contains("gzip") || tokens.contains("br")) {
return false; // Only checks two of many compression types
}
```
## Recommended Fix
```java
// Expand check to include all common compression formats
if (tokens.contains("gzip") || tokens.contains("br") ||
tokens.contains("deflate") || tokens.contains("compress") ||
tokens.contains("zstd") || tokens.contains("x-gzip")) {
return false;
}
// Additionally check for any non-identity encoding
```
**CVSS Score:** 5.3 (Medium) - AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
# **Impact and Attack Methods: Incomplete Content-Encoding Check**
## Impact Analysis
### 1. Performance Degradation
- **CPU Resource Exhaustion**: Double compression wastes significant CPU cycles
on redundant operations
- **Increased Response Times**: Additional compression layer adds processing
latency
- **Reduced Server Capacity**: More threads occupied with unnecessary
compression tasks
### 2. Size Inflation
- **Compression Overhead**: Secondary compression can increase file size due
to:
- Compression headers and metadata
- Inefficient re-compression of already compressed data
- Algorithm incompatibility between compression layers
### 3. Client Compatibility Issues
- **Unexpected Encoding**: Clients may receive content with unfamiliar encoding
combinations
- **Decoding Failures**: Some clients may not handle doubly-compressed content
properly
- **Content Corruption**: Potential for data corruption through layered
compression
### 4. System Stability
- **Memory Pressure**: Additional compression operations consume more memory
- **Thread Blocking**: Compression operations may block request processing
threads
- **Cascade Failures**: Under heavy load, this could contribute to system
instability
## Attack Methods
### 1. Direct Configuration Attack
**Prerequisite**: Access to server configuration
**Method**:
- Configure upstream services to apply alternative compression (deflate, zstd,
etc.)
- Bypass compression detection while still consuming resources
### 2. Response Manipulation
**Prerequisite**: Ability to modify HTTP responses
**Method**:
- Intercept and modify responses to include alternative encodings
- Force double compression through middleware or proxies
### 3. Content-Type Exploitation
**Prerequisite**: Knowledge of application behavior
**Method**:
- Force generation of content that upstream components will compress
- Use endpoints that return already-compressed data formats
### 4. Resource Amplification
**Prerequisite**: Ability to make repeated requests
**Method**:
- Send multiple requests for compressible content
- Trigger maximum CPU usage through repeated double compression
- Consume server resources disproportionately to request volume
### 5. Cache Poisoning
**Prerequisite**: Access to caching mechanisms
**Method**:
- Store doubly-compressed content in caches
- Propagate inefficient content versions throughout system
- Increase storage requirements and reduce cache effectiveness
## Attack Scenarios
### Scenario 1: Denial of Service through Resource Consumption
```
1. Attacker identifies server with vulnerable compression config
2. Configures upstream service to apply 'deflate' compression
3. Sends repeated requests for large, compressible content
4. Server applies gzip compression on top of deflate compression
5. CPU usage spikes due to double compression operations
6. Legitimate requests experience performance degradation
```
### Scenario 2: Size Amplification Attack
```
1. Attacker crafts requests for specific content types
2. Upstream component applies compress encoding
3. Vulnerable compression layer adds gzip encoding
4. Response size increases by 10-20% due to compression overhead
5. Network bandwidth consumption increases disproportionately
6. Content delivery costs rise for service provider
```
### Scenario 3: Client Compatibility Attack
```
1. Attacker determines target client software with limited decoding support
2. Forces content through double compression path
3. Client receives content with unfamiliar encoding combination
4. Client fails to properly decode content
5. User experiences broken functionality or content rendering issues
```
## Detection Methods
### 1. Monitoring Anomalies
- **CPU Usage**: Unexplained spikes in compression-related processing
- **Response Sizes**: Abnormal size patterns for typically compressible content
- **Content-Encoding Headers**: Unexpected encoding combinations in responses
### 2. Log Analysis
- **Double Compression Patterns**: Log entries showing compression of
already-encoded content
- **Encoding Mismatches**: Discrepancies between upstream and final encodings
- **Performance Metrics**: Increased processing time for specific content types
## Prevention Strategies
### 1. Comprehensive Encoding Checks
```java
// Implement complete encoding detection
private boolean isAlreadyCompressed(Set<String> encodings) {
for (String encoding : encodings) {
if (COMPRESSION_ENCODINGS.contains(encoding.toLowerCase())) {
return true;
}
}
return false;
}
// Maintain complete set of compression encodings
private static final Set<String> COMPRESSION_ENCODINGS = Set.of(
"gzip", "br", "deflate", "compress", "zstd", "sdch", "x-gzip"
);
```
### 2. Content-Type Awareness
- Skip compression for already-compressed formats (images, archives, media
files)
- Implement whitelist-based approach for compressible content types
### 3. Performance Safeguards
- Implement compression timeouts
- Add circuit breakers for compression operations
- Monitor and alert on abnormal compression ratios
### 4. Defense in Depth
- Configure upstream components to avoid redundant compression
- Implement consistent encoding policies across infrastructure
- Regular audits of compression configurations and effectiveness
## Summary of Risks
| Risk Level | Impact Area | Description |
|------------|-------------|-------------|
| High | CPU Resources | Double compression wastes significant processing power
|
| Medium | Bandwidth | May increase response sizes instead of reducing them |
| Medium | System Stability | Could contribute to resource exhaustion under
load |
| Low | Client Compatibility | Some clients may not handle unusual encoding
combinations |
This vulnerability primarily enables resource consumption attacks rather than
traditional security breaches, but can significantly impact system performance
and reliability.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
