Lucene search

K
amazonAmazonALAS2-2023-2216
HistoryAug 17, 2023 - 11:58 a.m.

Medium: tomcat

2023-08-1711:58:00
alas.aws.amazon.com
24
apache tomcat
http request smuggling
cve-2020-1935
update
vulnerability

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.9

Confidence

Low

EPSS

0.002

Percentile

62.2%

Issue Overview:

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability. (CVE-2020-1935)

Affected Packages:

tomcat

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update tomcat to update your system.

New Packages:

noarch:  
    tomcat-7.0.76-10.amzn2.0.6.noarch  
    tomcat-admin-webapps-7.0.76-10.amzn2.0.6.noarch  
    tomcat-docs-webapp-7.0.76-10.amzn2.0.6.noarch  
    tomcat-javadoc-7.0.76-10.amzn2.0.6.noarch  
    tomcat-jsvc-7.0.76-10.amzn2.0.6.noarch  
    tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.6.noarch  
    tomcat-lib-7.0.76-10.amzn2.0.6.noarch  
    tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.6.noarch  
    tomcat-el-2.2-api-7.0.76-10.amzn2.0.6.noarch  
    tomcat-webapps-7.0.76-10.amzn2.0.6.noarch  
  
src:  
    tomcat-7.0.76-10.amzn2.0.6.src  

Additional References

Red Hat: CVE-2020-1935

Mitre: CVE-2020-1935

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

7.9

Confidence

Low

EPSS

0.002

Percentile

62.2%