CVE-2021-25122
h2c connection requests vulnerability in tomcat-embed-core (Maven)
What is CVE-2021-25122 About?
This vulnerability in Apache Tomcat allows for request header and limited body data duplication across different user requests during h2c connection handling. This can lead to information disclosure where one user might inadvertently see parts of another user's request. Exploiting this vulnerability appears to be relatively straightforward as it stems from an inherent processing logic flaw.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0, <10.0.2
- >9.0.0, <9.0.43
- >8.5.0, <8.5.63
Technical Details
The vulnerability occurs within Apache Tomcat's handling of new h2c (HTTP/2 Cleartext) connection requests. Specifically, versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61 have a flaw where request headers and a limited portion of the request body from an initial client request (User A) can be duplicated and inadvertently exposed to a subsequent client request (User B). This suggests a memory or buffer handling issue where data from an earlier request is not properly cleared or isolated before processing a new, unrelated request on the same connection, leading to cross-user data leakage.
What is the Impact of CVE-2021-25122?
Successful exploitation may allow attackers to gain unauthorized access to sensitive request headers or portions of request bodies intended for other users, potentially leading to information disclosure or session hijacking.
What is the Exploitability of CVE-2021-25122?
Exploitation of this vulnerability would typically involve remote access to a vulnerable Apache Tomcat server. No prior authentication is likely required as it concerns the initial handling of h2c connection requests. The complexity level would be moderate, primarily depending on the attacker's ability to trigger specific timing or connection patterns that lead to the request data duplication. No special privileges are needed. The likelihood of exploitation is increased in environments where h2c is actively used and multiple users frequently interact with the server.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-25122?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.63 → Upgrade to 8.5.63
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.43 → Upgrade to 9.0.43
- org.apache.tomcat.embed:tomcat-embed-core
- >10.0.0, <10.0.2 → Upgrade to 10.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/03/01/1
- https://www.debian.org/security/2021/dsa-4891
- https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b%40%3Cusers.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210409-0002
- https://osv.dev/vulnerability/GHSA-j39c-c8hj-x4j3
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-25122
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-25122?
Similar Vulnerabilities: CVE-2022-22965 , CVE-2015-5345 , CVE-2019-0232 , CVE-2020-1938
