Apache Tomcat has identified an Improper Input Validation vulnerability (CVE-2023-45648) in several versions of its software that could result in request smuggling when used behind a reverse proxy. This post aims to provide an in-depth look at the vulnerability, linking to original references, and detailing the exploit and mitigation measures.
Exploit Details
Tomcat, from versions 11..-M1 through 11..-M11, 10.1.-M1 through 10.1.13, 9..-M1 through 9..81, and 8.5. through 8.5.93, contained a bug in the HTTP trailer header parser. This bug allowed an attacker to create specially crafted, invalid trailer headers that could cause Tomcat to treat a single request as multiple requests. This misinterpretation of requests could result in request smuggling when used behind a reverse proxy system.
Here is an example of a malicious request
POST /search HTTP/1.1
Host: example.com
Transfer-Encoding: chunked
Content-Length: 6
GET /user/secrets HTTP/1.1
Host: example.com
A reverse proxy system could interpret the above request as multiple requests, making it possible for an attacker to exploit the vulnerability and gain unauthorized access.
Mitigation Measures
Tomcat has released new versions which resolve the vulnerability. Users are recommended to upgrade their installations to the following version lines:
8.5.94 onwards
Upgrading to these versions eliminates the parsing issue and mitigates the risk of request smuggling.
Original References
- Apache Tomcat Project Page
- CVE-2023-45648 Vulnerability Details
- Apache Tomcat Security Advisory
Conclusion
The Improper Input Validation vulnerability in Apache Tomcat poses a significant risk for applications behind reverse proxy systems. Users of affected versions should upgrade to the recommended versions to ensure the security and integrity of their applications.
Timeline
Published on: 10/10/2023 19:15:09 UTC
Last modified on: 11/04/2023 06:15:52 UTC