Vulnerabilities > CVE-2019-17569 - HTTP Request Smuggling vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- HTTP Request Splitting HTTP Request Splitting (also known as HTTP Request Smuggling) is an attack pattern where an attacker attempts to insert additional HTTP requests in the body of the original (enveloping) HTTP request in such a way that the browser interprets it as one request but the web server interprets it as two. There are several ways to perform HTTP request splitting attacks. One way is to include double Content-Length headers in the request to exploit the fact that the devices parsing the request may each use a different header. Another way is to submit an HTTP request with a "Transfer Encoding: chunked" in the request header set with setRequestHeader to allow a payload in the HTTP Request that can be considered as another HTTP Request by a subsequent parsing entity. A third way is to use the "Double CR in an HTTP header" technique. There are also a few less general techniques targeting specific parsing vulnerabilities in certain web servers.
- HTTP Request Smuggling HTTP Request Smuggling results from the discrepancies in parsing HTTP requests between HTTP entities such as web caching proxies or application firewalls. Entities such as web servers, web caching proxies, application firewalls or simple proxies often parse HTTP requests in slightly different ways. Under specific situations where there are two or more such entities in the path of the HTTP request, a specially crafted request is seen by two attacked entities as two different sets of requests. This allows certain requests to be smuggled through to a second entity without the first one realizing it.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1353.NASL description In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935) The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569) When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. (CVE-2020-1938) As part of our fix for this CVE, we are disabling Tomcat 2019 AJP connector in the default configuration in alignment with the upstream changes. This change will require customers who use the default Tomcat configuration (in which the AJP connector was previously enabled) to explicitly re-enable the connector if they need it. Also take note that a connector configured without an explicit address will only bind to the loopback address. Examples of output from netstat before and after updating tomcat8 and tomcat7 are below (note that it is the same on AL1 and AL2 with both tomcat7 and tomcat8). AL1 tomcat7 : before : tcp6 0 0 :::8009 :::* LISTEN 25772/java tcp6 0 0 :::8080 :::* LISTEN 25772/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java After : tcp6 0 0 :::8080 :::* LISTEN 25772/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java To re-enable the AJP port in Tomcat for AL1, users can uncomment the following line in /etc/tomcat{TOMCAT_VERSION}/server.xml and restart the service : <!-- <Connector protocol= last seen 2020-03-19 modified 2020-03-16 plugin id 134575 published 2020-03-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134575 title Amazon Linux AMI : tomcat8 (ALAS-2020-1353) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1352.NASL description In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2020-1935) The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. (CVE-2019-17569) When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. (CVE-2020-1938) As part of our fix for this CVE, we are disabling Tomcat 2019 AJP connector in the default configuration in alignment with the upstream changes. This change will require customers who use the default Tomcat configuration (in which the AJP connector was previously enabled) to explicitly re-enable the connector if they need it. Also take note that a connector configured without an explicit address will only bind to the loopback address. Examples of output from netstat before and after updating tomcat8 and tomcat7 are below (note that it is the same on AL1 and AL2 with both tomcat7 and tomcat8). AL1 tomcat7 : before : tcp6 0 0 :::8009 :::* LISTEN 25772/java tcp6 0 0 :::8080 :::* LISTEN 25772/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java After : tcp6 0 0 :::8080 :::* LISTEN 25772/java tcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java To re-enable the AJP port in Tomcat for AL1, users can uncomment the following line in /etc/tomcat{TOMCAT_VERSION}/server.xml and restart the service : <!-- <Connector protocol= last seen 2020-03-19 modified 2020-03-16 plugin id 134574 published 2020-03-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134574 title Amazon Linux AMI : tomcat7 (ALAS-2020-1352) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4673.NASL description Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling and code execution in the AJP connector (disabled by default in Debian). last seen 2020-05-12 modified 2020-05-07 plugin id 136369 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136369 title Debian DSA-4673-1 : tomcat8 - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-345.NASL description This update for tomcat to version 9.0.31 fixes the following issues : Security issues fixed : - CVE-2019-17569: Fixed a regression in the handling of Transfer-Encoding headers that would have allowed HTTP Request Smuggling (bsc#1164825). - CVE-2020-1935: Fixed an HTTP Request Smuggling issue (bsc#1164860). - CVE-2020-1938: Fixed a file contents disclosure vulnerability (bsc#1164692). This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-03-19 modified 2020-03-16 plugin id 134620 published 2020-03-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134620 title openSUSE Security Update : tomcat (openSUSE-2020-345) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2133.NASL description Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. CVE-2019-17569 The refactoring in 7.0.98 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CVE-2020-1935 The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 7.0.100, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. For Debian 8 last seen 2020-03-17 modified 2020-03-06 plugin id 134243 published 2020-03-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134243 title Debian DLA-2133-1 : tomcat7 security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4680.NASL description Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface. last seen 2020-05-12 modified 2020-05-07 plugin id 136376 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136376 title Debian DSA-4680-1 : tomcat9 - security update NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0069_APACHE.NASL description An update of the apache package has been released. last seen 2020-03-27 modified 2020-03-24 plugin id 134872 published 2020-03-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134872 title Photon OS 3.0: Apache PHSA-2020-3.0-0069 NASL family Web Servers NASL id TOMCAT_9_0_31.NASL description The version of Tomcat installed on the remote host is prior to 7.0.100, 8.x prior to 8.5.51, or 9.x prior to 9.0.31. It is, therefore, affected by multiple vulnerabilities. - An HTTP request smuggling vulnerability exists in Tomcat due to mishandling Transfer-Encoding headers behind a reverse proxy. An unauthenticated, remote attacker can exploit this, via crafted HTTP requests, to cause unintended HTTP requests to reach the back-end. (CVE-2019-17569) - An HTTP request smuggling vulnerability exists in Tomcat due to bad end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. An unauthenticated, remote attacker can exploit this, via crafted HTTP requests, to cause unintended HTTP requests to reach the back-end. (CVE-2020-1935) - An arbitrary file read vulnerability exists in Tomcat last seen 2020-05-31 modified 2020-02-21 plugin id 133845 published 2020-02-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133845 title Apache Tomcat < 7.0.100 / 8.5.x < 8.5.51 / 9.x < 9.0.31 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1520.NASL description The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1520 advisory. - tomcat: local privilege escalation (CVE-2019-12418) - tomcat: session fixation when using FORM authentication (CVE-2019-17563) - tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2019-17569) - tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) - tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-21 plugin id 135773 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135773 title RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.3 release (Important) (RHSA-2020:1520)
Redhat
| rpms |
|
The Hacker News
| id | THN:C6364AF85A1C10659ACD33775E77BDB6 |
| last seen | 2020-02-28 |
| modified | 2020-02-28 |
| published | 2020-02-28 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html |
| title | GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat |
References
- https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
- https://security.netapp.com/advisory/ntap-20200327-0005/
- https://www.debian.org/security/2020/dsa-4673
- https://www.debian.org/security/2020/dsa-4680
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E