Apache Tomcat HTTP Request Smuggling Vulnerability Fixed by 6.0.43, 7.0.55 and 8.0.9


Description   (#An HTTP Request smuggling vulnerability has been identified in Apache Tomcat.#A remote attacker could exploit it by sending an unlimited quantity of data within a same malformed request leading to consumption of server resources.##This vulnerability stems from an improper handling of the requests by the the 'ChunkedInputFilter' implementation.##The tomcat6 packages provided by Debian 6 and Wheezy 7, as well as tomcat7 packages provided by Debian Wheezy 7 are vulnerable.#Mise à jour, 10/04/2015 :#F5 has published the list of impacted products by this vulnerability:#- BIG-IP ASM#- BIG-IP GTM#- BIG-IP Link Controller#- BIG-IP LTM#- BIG-IP WebAccelerator module#- Enterprise Manager.#Updated, 23/07/2015:#BlueCoat announces that Content Analysis System 1.1 is impacted by this vulnerability.)
     
Vulnerable Products   Vulnerable OS:
BIG-IP ASM (F5) - 10.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, ..., 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4BIG-IP GTM (F5) - 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, ..., 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4BIG-IP Link Controller (F5) - 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, ..., 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4BIG-IP LTM (F5) - 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, ..., 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4BIG-IP WebAccelerator module (F5) - 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.2.1, ..., 11.3.0 HF5, 11.3.0 HF6, 11.3.0 HF7, 11.3.0 HF8, 11.3.0 HF9Business Server (Mandriva) - 1, 2CentOS (Red Hat) - 6, 7Enterprise Linux 6 (Red Hat) - Desktop, HPC Node, Server, WorkstationEnterprise Linux 7 (Red Hat) - Desktop, HPC Node, Server, WorkstationEnterprise Manager (F5) - 2.1.0, 2.1.0-HF1, 2.1.0-HF2, 2.2.0, 2.2.0-HF1, ..., 3.0.0, 3.1.0, 3.1.1, 3.1.1 HF1, 3.1.1 HF2Fedora (Red Hat) - 20, 21GNU/Linux (Debian) - 6, 7HP-UX (HP) - B.11.31Linux Enterprise Desktop (SUSE) - 11 SP3Linux Enterprise Server (SUSE) - 11 SP3, 11 SP4Linux Server (Oracle) - 6, 7Ubuntu Linux (Ubuntu) - 12.04 LTS, 14.04 LTS, 14.10, 15.04Vulnerable Software:
Content Analysis System (CAS) (Blue Coat) - 1.1, 1.2EPolicy Orchestrator (McAfee) - 5.0, 5.1.0, 5.1.1JBPM (JBoss Inc.) - 6.0.1, 6.0.2, 6.0.3Rational DOORS NG (IBM) - 4.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, ..., 4.0.7, 5.0, 5.0.0, 5.0.1, 5.0.2Secure Global Desktop (Oracle) - 4.63, 4.71, 5.1Tivoli Application Dependency Discovery Manager (IBM) - 7.2.0, 7.2.0.0, 7.2.0.10, 7.2.1, 7.2.1.0, ..., 7.2.2.0, 7.2.2.1, 7.2.2.2, 7.2.2.3, 7.3.0.0Tivoli Common Reporting (IBM) - 2.1, 2.1.1, 2.1.1.2, 3.1.0.0, 3.1.0.1, 3.1.0.2, 3.1.2Tivoli Rational Directory Server (IBM) - 5.1.1.2, 5.2.1.0Tomcat (Apache Software Foundation) - 6.0, 6.0.0, 6.0.1, 6.0.10, 6.0.11, ..., 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8WebSphere Application Server (IBM) - Community Edition V3.0.0.4
     
Solution   Fixed tomcat6 packages for Debian Wheezy 7 are available.
     
CVE   CVE-2014-0227
     
References   - Bugtraq : CVE-2014-0227 Apache Tomcat Request Smuggling
http://seclists.org/bugtraq/2015/Feb/65
- DebianSecurityTracker : tomcat6 & tomcat7
https://security-tracker.debian.org/tracker/CVE-2014-0227
- FEDORA-2015-2109 : Fedora 21 Update: tomcat-7.0.59-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
- RHSA-2015:0234-1 : Red Hat JBoss BPM Suite 6.0.3 security update
https://rhn.redhat.com/errata/RHSA-2015-0234.html
- MDVSA-2015:053 : tomcat6
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:053
- MDVSA-2015:052 : tomcat
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:052
- MDVSA-2015:084 : tomcat
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2015:084
- IBM : Rational Directory Server (Apache) Interim Fix 7 for 5.1.1.2
http://www-01.ibm.com/support/docview.wss?uid=swg24039683
- IBM : Rational Directory Server (Tivoli) Interim Fix 6 for 5.2.1
http://www-01.ibm.com/support/docview.wss?uid=swg24039681
- sol16344: Apache Tomcat vulnerability CVE-2014-0227
https://support.f5.com/kb/en-us/solutions/public/16000/300/sol16344.html
- IBM : Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology (CVE-2014-0227)
http://www-01.ibm.com/support/docview.wss?uid=swg21700351
- IBM : RC4 stream cipher vulnerability and HTTP request smuggling vulnerability affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-2808, CVE-2014-0227)
https://www-304.ibm.com/support/docview.wss?uid=swg21882717
- ELSA-2015-0991 : Oracle Linux 6 tomcat6 security and bug fix update
http://oss.oracle.com/pipermail/el-errata/2015-May/005064.html
- CESA-2015:0991 : Moderate CentOS 6 tomcat6 Security Update
http://lists.centos.org/pipermail/centos-announce/2015-May/021105.html
- RHSA-2015:0991 : tomcat6 security and bug fix update
http://rhn.redhat.com/errata/RHSA-2015-0991.html
- CESA-2015:0983 : Moderate CentOS 7 tomcat Security Update
http://lists.centos.org/pipermail/centos-announce/2015-May/021128.html
- RHSA-2015:0983 : tomcat security update
http://rhn.redhat.com/errata/RHSA-2015-0983.html
- ELSA-2015-0983 : Oracle Linux 7 tomcat security update
http://oss.oracle.com/pipermail/el-errata/2015-May/005042.html
- DLA 232-1 : tomcat6 security update
https://lists.debian.org/debian-lts-announce/2015/05/msg00016.html
- McAfee : ePolicy Orchestrator 5.1.2
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25902/en_US/epo_512_rn_0-00_en-us.pdf
- HPSBUX03341 SSRT102068 rev.1 - HP-UX Apache Tomcat v7.x, Remote Denial of Service (DoS) and Other Vulnerabilities
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04693706
- HPSBUX03337 SSRT102066 rev.1 - HP-UX Apache Web Server Suite running Apache Web Server, Tomcat v6.x, or PHP v5.4.x, Remote Denial of Service (DoS) and Other Vulnerabilities
https://h20564.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04686230
- USN-2655-1 : Tomcat vulnerabilities
http://www.ubuntu.com/usn/USN-2655-1/
- USN-2654-1 : Tomcat vulnerabilities
http://www.ubuntu.com/usn/USN-2654-1/
- Oracle Critical Patch Update Advisory - July 2015
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- BlueCoat SA100 : Apache Tomcat Vulnerabilities
https://bto.bluecoat.com/security-advisory/sa100
- SUSE-SU-2015:1337-1 : Security update for tomcat6
https://www.suse.com/support/update/announcement/2015/suse-su-20151337-1.html
- IBM Security Bulletin: Multiple vulnerability in Product IBM Tivoli Common Reporting(CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2014-0227, CVE-2015-0209 , CVE-2015-0286 , CVE-2015-0289) - United States
http://www-01.ibm.com/support/docview.wss?uid=swg21963024
- IBM : Vulnerability in Apache Tomcat may affect IBM WebSphere Application Server Community Edition (CVE-2014-0227)
http://www-01.ibm.com/support/docview.wss?uid=swg21957815
- SUSE-SU-2015:1565-1 : Security update for tomcat6
http://lists.suse.com/pipermail/sle-security-updates/2015-September/001594.html
- DSA 3530-1 : tomcat6 security update
https://lists.debian.org/debian-security-announce/2016/msg00104.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Request Smuggling : HTTP command found in header
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-02-09 

 Target Type 
Server 

 Possible exploit 
Remote