All,
There is a typo in this announcement.
The affected versions of Tomcat8.5 are 8.5.0 to 8.0.82, not 8.5.52.
Thanks,
-chris
On 10/31/22 12:46, Mark Thomas wrote:
CVE-2022-42252 Apache Tomcat - Request Smuggling
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0
Apache Tomcat 10.0.0-M1 to 10.0.26
Apache Tomcat 9.0.0-M1 to 9.0.67
Apache Tomcat 8.5.0 to 8.5.52
Description:
If Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did
not reject a request containing an invalid Content-Length header making
a request smuggling attackĀ possible if Tomcat was located behind a
reverse proxy that also failed to reject the request with the invalid
header.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Ensure rejectIllegalHeader is set to true
- Upgrade to Apache Tomcat 10.1.1 or later
- Upgrade to Apache Tomcat 10.0.27 or later
- Upgrade to Apache Tomcat 9.0.68 or later
- Upgrade to Apache Tomcat 8.5.83 or later
Credit:
Thanks to Sam Shahsavar who discovered this issue and reported it to the
Apache Tomcat security team.
History:
2022-10-31 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
