Open source web container now patched against six-year-old bug

HTTP request smuggling vulnerability in Apache Tomcat has been present since 2015

A HTTP request smuggling vulnerability in Apache Tomcat has been present “since at least 2015”, the project maintainers have warned.

Apache Tomcat is an open source Java servlet container which is maintained by the Apache Software Foundation.

In release notes posted online (insecure link), maintainers of Tomcat revealed that the vulnerability was discovered in multiple versions of the software.

“Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy,” it reads.

“Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.”

Read more of the latest security vulnerability news

Mark Thomas, member of the Apache Tomcat Project Management Committee, told The Daily Swig that the vulnerability “has been present in the Tomcat codebase since at
least 2015”.

“It may have been present before that, but that is earliest release of the current supported versions,” Thomas said, but added that the committee – which is entirely staffed by volunteers – doesn’t check older, unsupported versions.

Tomcat server patch

HTTP request smuggling is a hacking technique that can be used to interfere with the way a website processes sequences of HTTP requests that are received from one or more users.

Request smuggling vulnerabilities are often critical and can allow an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users.

The vulnerability was reported to the Apache Software Foundation by researchers Bahruz Jabiyev, Steven Sprecher, and Kaan Onarlioglu of NEU SecLab, Northeastern University in Boston, Massachusetts.

It has yet to be assigned a CVSS score. However, Tomcat security team rated it as ‘important’ on a scale of ‘low, moderate, important, or critical’.

READ MORE HTTP request smuggling: HTTP/2 opens a new attack tunnel

The vulnerability was reported “responsibly”, Thomas said, on May 7, 2021. “We had a patch (actually, a series of three patches) agreed privately by May 11,” Thomas told The Daily Swig.

Those patches were made public on Jun 8, although the public announcement was delayed until July 12, since certain versions contained a significant regression in JSP processing, Thomas said.

Users of the affected versions should update to Apache Tomcat 10.0.7 or later, 9.0.48 or later, or 8.5.68 or later. The issue was fixed in 9.0.47 and 8.5.67 “but the release votes for those versions did not pass”, said Thomas.

YOU MAY ALSO LIKE ‘Being serious about security is a must’ – Apache Software Foundation custodians on fulfilling its founding mission