CVE CyberSecurity Database News

CVE-2022-42252: Apache Tomcat Request Smuggling Attack via Invalid Content-Length Headers

Poster -

In this post, we will discuss the vulnerability CVE-2022-42252 affecting Apache Tomcat versions 8.5. to 8.5.82, 9..-M1 to 9..67, 10..-M1 to 10..26, and 10.1.-M1 to 10.1.. This vulnerability can potentially allow an attacker to execute request smuggling attacks when Apache Tomcat is behind a reverse proxy that also fails to reject requests with an invalid Content-Length header while configured to ignore invalid HTTP headers.

Background

Request smuggling is a technique where an attacker can manipulate the HTTP request to bypass security controls and gain unauthorized access to web application functionalities. For this vulnerability, Tomcat does not properly reject a request containing an invalid Content-Length header when it is configured to ignore invalid HTTP headers via the setting rejectIllegalHeader set to false. This setting is the default setting for Apache Tomcat in the 8.5.x versions.

Vulnerability Details

To understand the vulnerability, let's first look at an example of an HTTP request containing an invalid Content-Length header:

POST /example HTTP/1.1
Host: vulnerable.site
Content-Length: 10
Content-Length: 5

hello

In the example above, the request contains two Content-Length headers with different values, which should be rejected as illegal. However, Apache Tomcat does not do so when it is configured to ignore invalid HTTP headers with rejectIllegalHeader set to false.

In a situation where Apache Tomcat is located behind a reverse proxy that also fails to reject this request with the invalid header, a request smuggling attack becomes possible. An attacker can manipulate requests in a way to bypass security controls and access restricted parts of the web application.

Exploit

The exploit for this vulnerability primarily depends upon the misconfiguration of both Apache Tomcat and the reverse proxy in front of it. The attacker needs to craft a specially designed HTTP request with an invalid Content-Length header, which can then be sent to the vulnerable web server.

Mitigation

To mitigate this vulnerability, it is recommended to configure Apache Tomcat to reject illegal headers by setting the rejectIllegalHeader setting to true. The following configuration should be added to Tomcat's server.xml file inside the <Connector> element:

rejectIllegalHeader="true"

Additionally, ensure that the reverse proxy in front of Apache Tomcat is configured correctly to reject requests containing invalid HTTP headers. This setting varies for different reverse proxies. For example, in Nginx, you can use the ignore_invalid_headers directive as follows:

http {
  ...
  ignore_invalid_headers on;
  ...
}

Finally, it is crucial to keep your Apache Tomcat server up-to-date with the latest security patches and releases to avoid potential risks and vulnerabilities.

References

1. Original CVE report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42252
2. Apache Tomcat Security release notes: https://tomcat.apache.org/security.html
3. Apache Tomcat Configuration Reference: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

Timeline

Published on: 11/01/2022 09:15:00 UTC
Last modified on: 05/30/2023 06:15:00 UTC