CVE-2022-42252

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.82 Apache Tomcat versions 9.0.0-M1 through 9.0.67 Apache Tomcat versions 10.0.0-M1 through 10.0.26 Apache Tomcat versions 10.1.0-M1 through 10.1.0

Description The issue is related to the implementation of the rejectIllegalHeader attribute in Apache Tomcat, which can lead to HTTP request smuggling attacks when the server is configured to ignore invalid HTTP headers and is located behind a reverse proxy that also fails to reject such requests. This can allow a remote attacker to send hidden HTTP requests. The rejectIllegalHeader setting, when set to false, allows Tomcat to process requests with invalid Content-Length headers, making the attack possible.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.82, update the configuration to set rejectIllegalHeader to true or upgrade to a version where this is the default. For Apache Tomcat versions 9.0.0-M1 through 9.0.67, ensure that rejectIllegalHeader is set to true and consider upgrading to a newer version. For Apache Tomcat versions 10.0.0-M1 through 10.0.26, set rejectIllegalHeader to true and consider upgrading. For Apache Tomcat versions 10.1.0-M1 through 10.1.0, set rejectIllegalHeader to true and consider upgrading to a version where this vulnerability is fixed. As a temporary workaround, consider restricting access to the server or disabling the processing of requests with invalid Content-Length headers until a patch is available.