===================================================================== CERT-Renater Note d'Information No. 2023/VULN489 _____________________________________________________________________ DATE : 29/11/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.0-M11, 10.1.16, 9.0.83, 8.5.96. ===================================================================== https://lists.apache.org/thread/o9bj0m9q94zpn88nnq7zko3c0l5ksvfh _____________________________________________________________________ [SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M11 or later - Upgrade to Apache Tomcat 10.1.16 or later - Upgrade to Apache Tomcat 9.0.83 or later - Upgrade to Apache Tomcat 8.5.96 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Norihito Aimoto (OSSTech Corporation). History: 2023-11-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================