CVE-2022-42252: Apache Tomcat - Request Smuggling

[Mark Thomas <markt () apache org>]

CVE-2022-42252 Apache Tomcat - Request Smuggling

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.0
Apache Tomcat 10.0.0-M1 to 10.0.26
Apache Tomcat 9.0.0-M1 to 9.0.67
Apache Tomcat 8.5.0 to 8.5.52

Description:
If Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did 
not reject a request containing an invalid Content-Length header making 
a request smuggling attack  possible if Tomcat was located behind a 
reverse proxy that also failed to reject the request with the invalid 
header.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Ensure rejectIllegalHeader is set to true
- Upgrade to Apache Tomcat 10.1.1 or later
- Upgrade to Apache Tomcat 10.0.27 or later
- Upgrade to Apache Tomcat 9.0.68 or later
- Upgrade to Apache Tomcat 8.5.83 or later

Credit:
Thanks to Sam Shahsavar who discovered this issue and reported it to the 
Apache Tomcat security team.

History:
2022-10-31 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html