SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
SecurityTracker Alert ID:  1032791
SecurityTracker URL:  http://securitytracker.com/id/1032791
CVE Reference:   CVE-2014-0227   (Links to External Site)
Date:  Jul 7 2015
Impact:   Denial of service via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.0 to 6.0.41, 7.0.0 to 7.0.54, 8.0.0-RC1 to 8.0.8
Description:   A vulnerability was reported in Apache Tomcat. A remote user may be able to conduct HTTP request smuggling attacks against web-based applications on the target system.

A remote user can submit a specially crafted request to trigger a flaw in 'java/org/apache/coyote/http11/filters/ChunkedInputFilter.java' and cause the Apache Tomcat server to read part of the request as a new request. This allows the remote user to embed a request within another request and modify data or cause denial of service on the target system.

Impact:   A remote user may be able to cause an application to incorrectly process the connection and modify data or cause denial of service conditions.
Solution:   The vendor has issued a fix (6.0.43, 7.0.55, 8.0.9) [in February 2015].

The vendor's advisory is available at:

http://tomcat.apache.org/security-7.html

Vendor URL:  tomcat.apache.org/security-7.html (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 7 2015 (IBM Issues Fix for IBM Rational Build Forge) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
IBM has issued a fix for IBM Rational Build Forge.
Jul 7 2015 (IBM Issues Fix for IBM Cognos Metrics Manager) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
IBM has issued a fix for IBM Cognos Metrics Manager.
Jul 17 2015 (IBM Issues Fix for IBM WebSphere Message Broker) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
IBM has issued a fix for IBM WebSphere Message Broker 8.0.
Jul 30 2015 (Blue Coat Systems Issues Fix for Blue Coat Director) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
Blue Coat Systems has issued a fix for Blue Coat Director.
Jul 30 2015 (Blue Coat Systems Issues Advisory for Blue Coat IntelligenceCenter) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
Blue Coat Systems has issued an advisory for Blue Coat IntelligenceCenter 3.2 and 3.3.
Sep 2 2015 (IBM Issues Fix for IBM WebSphere Application Server Community Edition) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
IBM has issued a fix for IBM WebSphere Application Server Community Edition.
Oct 21 2015 (HP Issues Fix for OpenVMS) Apache Tomcat 'ChunkedInputFilter.java' Processing Flaw Lets Remote Users Smuggle HTTP Requests
HP has issued a fix for OpenVMS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC