{ "threat_severity" : "Moderate", "public_date" : "2023-10-10T00:00:00Z", "bugzilla" : { "description" : "tomcat: incorrectly parsed http trailer headers can cause request smuggling", "id" : "2243749", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2243749" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially \ncrafted, invalid trailer header could cause Tomcat to treat a single \nrequest as multiple requests leading to the possibility of request \nsmuggling when behind a reverse proxy.\nOlder, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.", "A flaw was found in Apache Tomcat, where an improper input validation can occur. This flaw allows a malicious user to send a crafted request containing an invalid trailer header, which could be treated as multiple requests, potentially leading to request smuggling when behind a reverse proxy." ], "statement" : "The request smuggling is not guaranteed to have relevant information within every request and the scenario behind a reverse proxy which fails to handle the request too is necessary, hence the Moderate impact.\nThe Red Hat AMQ Broker team removed any tomcat dependencies in version 7.11.3. Please refer to https://errata.devel.redhat.com/advisory/121941.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-01-10T00:00:00Z", "advisory" : "RHSA-2024:0125", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "tomcat-1:9.0.62-27.el8_9.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-01-25T00:00:00Z", "advisory" : "RHSA-2024:0474", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "tomcat-1:9.0.62-37.el9_3.1" }, { "product_name" : "Red Hat Fuse 7.12.1", "release_date" : "2023-11-15T00:00:00Z", "advisory" : "RHSA-2023:7247", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:6207", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 7", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:6206", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el7", "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 8", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:6206", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el8", "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.7 on RHEL 9", "release_date" : "2023-10-31T00:00:00Z", "advisory" : "RHSA-2023:6206", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.7::el9", "package" : "jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws" }, { "product_name" : "Red Hat OpenShift Dev Spaces 3 Containers", "release_date" : "2024-07-18T00:00:00Z", "advisory" : "RHSA-2024:4631", "cpe" : "cpe:/a:redhat:openshift_devspaces:3::el8", "package" : "devspaces/server-rhel8:3.15-3" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:a_mq_clients:2" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:camel_spring_boot:3" }, { "product_name" : "Red Hat build of OptaPlanner 8", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:optaplanner:::el6" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Fix deferred", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pki-servlet-container", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Will not fix", "package_name" : "pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Web Server 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:amq_streams:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-45648\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45648\nhttp://www.openwall.com/lists/oss-security/2023/10/10/10\nhttps://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp" ], "name" : "CVE-2023-45648", "mitigation" : { "value" : "No mitigation is currently available for this flaw.", "lang" : "en:us" }, "csaw" : false }