BIT-tomcat-2023-34981
Information Leak vulnerability in tomcat-embed-core (Maven)
What is BIT-tomcat-2023-34981 About?
A regression in Apache Tomcat's AJP connector allows an information leak if a response lacks HTTP headers, causing an AJP proxy to reuse prior response headers. This can lead to disclosure of sensitive data between different requests or clients. Exploitation requires specific proxy configurations and conditions, making it moderately complex.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.74, <9.0.75
- >10.1.8, <10.1.9
- >11.0.0-M5, <11.0.0-M6
- org.apache.tomcat:tomcat-coyote
- >8.5.88, <8.5.89
Technical Details
This vulnerability is a regression stemming from a fix for bug 66512 in Apache Tomcat. Specifically, in versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88, if a server response is generated by Tomcat via the AJP connector and that response does not include any HTTP headers, an AJP SEND_HEADERS message is not sent to the proxy. An AJP proxy, particularly mod_proxy_ajp, is then observed to reuse the response headers from the immediately preceding request for the current header-less response. This leads to an information leak because response headers intended for one client or session could be inadvertently sent to a different, unrelated client requesting a header-less resource. For instance, a client's session cookie or authorization header from a previous request could be leaked if the subsequent response happens to be header-less and the proxy reuses the stale headers.
What is the Impact of BIT-tomcat-2023-34981?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, such as session cookies or authentication tokens, which can lead to session hijacking, impersonation, or further unauthorized access to protected resources.
What is the Exploitability of BIT-tomcat-2023-34981?
Exploitation of this vulnerability is of moderate complexity. It requires the presence of a vulnerable Apache Tomcat version (11.0.0-M5, 10.1.8, 9.0.74, or 8.5.88) behind an AJP proxy (such as mod_proxy_ajp). The key prerequisite is that the application served by Tomcat must be capable of generating responses that completely lack HTTP headers under certain conditions. No specific authentication is required to trigger this, as it affects the way responses are handled by the proxy. This is primarily a remote exploitation scenario. The likelihood of exploitation increases in multi-user environments or systems handling sensitive data, especially if a pattern of header-less responses occurs after requests that carry sensitive information in their headers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-tomcat-2023-34981?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.74, <9.0.75 → Upgrade to 9.0.75
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.8, <10.1.9 → Upgrade to 10.1.9
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M5, <11.0.0-M6 → Upgrade to 11.0.0-M6
- org.apache.tomcat:tomcat-coyote
- >8.5.88, <8.5.89 → Upgrade to 8.5.89
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-34981
- https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
- https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
- https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
- https://tomcat.apache.org/security-11.html
- https://security.netapp.com/advisory/ntap-20230714-0003/
- https://osv.dev/vulnerability/GHSA-mppv-79ch-vw6q
- https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
- https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
- https://tomcat.apache.org/security-8.html
What are Similar Vulnerabilities to BIT-tomcat-2023-34981?
Similar Vulnerabilities: CVE-2023-28709 , CVE-2022-45143 , CVE-2022-42289 , CVE-2022-26132 , CVE-2021-42340
