The Apache Tomcat fix for CVE-2023-24998 was incomplete across versions 11..-M2 to 11..-M4, 10.1.5 to 10.1.7, 9..71 to 9..73, and 8.5.85 to 8.5.87. A potential denial of service attack could be executed by bypassing the limit for uploaded request parts if the maxParameterCount limit could be reached using query string parameters, which could cause system slowdown or crashes.

Overview

The vulnerability CVE-2023-24998 was previously addressed and appeared to be fixed for Apache Tomcat. However, it has been discovered that the fix was incomplete, leaving systems vulnerable to denial of service attacks under specific circumstances. In particular, if non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed. This could lead to an attacker flooding the server with many request parts, leading to a potential denial of service.

Exploit Details

A potential attacker could exploit this vulnerability by crafting a malicious request with many query string parameters, reaching the maxParameterCount limit. This specially crafted request would allow them to bypass the limit for uploaded request parts.

String maliciousRequest = "http://example.com/somepage?a=1&...";;
for (int i = 2; i <= maxParameterCount; i++) {
  maliciousRequest += "a=" + i + "&";
}

Upon submitting this request, the attacker could successfully cause the server to be overwhelmed, ultimately causing a denial of service. Consequently, the affected system could experience slowdowns and even crashes.

Original References

- Apache Tomcat: https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11..-M5
- CVE-2023-24998: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998
- maxParameterCount: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation

Mitigation

Users of Apache Tomcat are highly advised to upgrade to versions 11..-M5, 10.1.8, 9..74, or newer, which contain the complete fix for this issue. In addition, it is crucial to ensure that the maxParameterCount limit is properly set to prevent such attacks.

<!-- In server.xml -->
<Connector port="808" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443"
           maxParameterCount="10000" /> <!-- Set the appropriate limit here -->

Conclusion

It is crucial for users of Apache Tomcat to stay vigilant and ensure they are running the latest version to protect their systems from potential threats and vulnerabilities. As CVE-2023-28709 demonstrates, even seemingly fixed issues can contain incomplete patches, leading to continued vulnerability. By staying informed and keeping software up to date, users can protect their systems against such threats.

Timeline

Published on: 05/22/2023 11:15:00 UTC
Last modified on: 05/27/2023 00:46:00 UTC