Vulnerability closed almost nine months after initial report

Feb 10, 2015 16:18 GMT  ·  By

The Apache Tomcat open-source web server has received an update that fixes an HTTP request smuggling vulnerability, which has the potential risk of bypassing the firewall protection for a web application.

Request smuggling refers to incomplete parsing of a request. It generally involves two HTTP devices and consists in sending a request to the second device by using the first one, both of them seeing and handling a different part of the entire information.

The flaw is identified as CVE-2014-0227, which means that it was discovered back in 2014, on May 30 more precisely.

According to the security advisory provided by The Apache Software Foundation, it was found by the Tomcat security team, but it is unclear why a patch was released only yesterday.

The problem solved consisted in the fact that an attacker could create a malformed chunk as part of a chucked request. The result was that Tomcat would read part of the request body as a new request.

Affected Apache Tomcat versions are 8.0.0 RC1 through 8.0.8, 7.0.0 through 7.0.54, and 6.0.0 to 6.0.41. Mitigating the risk can be done by upgrading to the recently released versions: 8.0.9, 7.0.55 and 6.0.43; build 6.0.42 also contains the fix but it has not been released.