Bug 865740 - (CVE-2013-4286) VUL-0: CVE-2013-4286: tomcat: incomplete fix for CVE-2005-2090
(CVE-2013-4286)
VUL-0: CVE-2013-4286: tomcat: incomplete fix for CVE-2005-2090
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2013-4286:5.8:(AV:N/A...
: DSLA_REQUIRED, security_vulnerability
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-02-26 08:49 UTC by Victor Pereira
Modified: 2020-02-12 21:05 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority: 300
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
meissner: needinfo? (david.chenworth)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-26 08:49:35 UTC
CVE-2013-4286

The Tomcat fix for CVE-2005-2090 was not complete. It did not cover the following cases:

- content-length header with chunked encoding over any HTTP connector
- multiple content-length headers over any AJP connector

Requests with multiple content-length headers or with a content-length header when chunked encoding is being used should be rejected as invalid. When multiple components (firewalls, caches, proxies and Tomcat) process a sequence of requests where one or more requests contain either multiple content-length headers or a content-length header when chunked encoding is being used and several components do not reject the request and make different decisions as to which content-length header to use an attacker can poison a web-cache, perform an XSS attack and obtain sensitive information from requests other then their own. Tomcat now rejects requests with multiple content-length headers or with a content-length header when chunked encoding is being used.

This has been corrected in upstream versions 8.0.0-rc3 [1], 7.0.47 [2], and 6.0.39 [3].

References:

[1] http://svn.apache.org/viewvc?view=revision&revision=1521829
[2] http://svn.apache.org/viewvc?view=revision&revision=1521854
[3] http://svn.apache.org/viewvc?view=revision&revision=1552565
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1069921
Comment 1 Swamp Workflow Management 2014-02-26 23:00:15 UTC
bugbot adjusting priority
Comment 7 Marcus Meissner 2014-12-08 15:18:10 UTC
david seems not to reply. lets close