CVE-2023-45648
Improper Input Validation vulnerability in org.apache.tomcat:tomcat

What is CVE-2023-45648 About?

This vulnerability in Apache Tomcat stems from improper validation of HTTP trailer headers. A specially crafted, invalid trailer header can cause Tomcat to misinterpret a single HTTP request as multiple, leading to request smuggling. Exploitation is feasible, especially when Tomcat is behind a reverse proxy.

Affected Software

Technical Details

The vulnerability lies in how Apache Tomcat (versions 11.0.0-M1 through 11.0.0-M11, 10.1.0-M1 through 10.1.13, 9.0.0-M1 through 9.0.81, and 8.5.0 through 8.5.93) processes HTTP trailer headers. Tomcat fails to correctly parse invalid trailer headers. An attacker can craft a malformed trailer header that causes Tomcat to incorrectly delineate HTTP requests. This can result in a single incoming HTTP message being interpreted as two or more distinct requests. When an affected Tomcat instance is deployed behind a reverse proxy, this misinterpretation can lead to classic HTTP request smuggling, where an attacker can 'smuggle' malicious requests past the proxy's security checks or interfere with other legitimate requests.

What is the Impact of CVE-2023-45648?

Successful exploitation may allow attackers to perform request smuggling, potentially bypassing security controls, gaining unauthorized access to resources, or performing other malicious actions on behalf of other users.

What is the Exploitability of CVE-2023-45648?

Exploitation requires the ability to send specially crafted HTTP requests to the vulnerable Apache Tomcat server. The complexity is medium, as it involves understanding HTTP protocol nuances and the specifics of trailer header parsing. No authentication or specific privileges are required to send these malformed requests. This is a remote vulnerability, as attackers can initiate the malicious requests from any network location. The primary special condition that increases likelihood is the deployment of a vulnerable Tomcat instance behind a reverse proxy, which is a common architecture. Risk factors include publicly exposed Tomcat instances and applications that rely heavily on the accuracy of HTTP request parsing.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2023-45648?

About the Fix from Resolved Security

Available Upgrade Options

• org.apache.tomcat.embed:tomcat-embed-core
  • >8.5.0, <8.5.94 → Upgrade to 8.5.94
• org.apache.tomcat.embed:tomcat-embed-core
  • >9.0.0-M1, <9.0.81 → Upgrade to 9.0.81
• org.apache.tomcat.embed:tomcat-embed-core
  • >10.1.0-M1, <10.1.14 → Upgrade to 10.1.14
• org.apache.tomcat.embed:tomcat-embed-core
  • >11.0.0-M1, <11.0.0-M12 → Upgrade to 11.0.0-M12
• org.apache.tomcat:tomcat
  • >8.5.0, <8.5.94 → Upgrade to 8.5.94
• org.apache.tomcat:tomcat
  • >9.0.0-M1, <9.0.81 → Upgrade to 9.0.81
• org.apache.tomcat:tomcat
  • >10.1.0-M1, <10.1.14 → Upgrade to 10.1.14
• org.apache.tomcat:tomcat
  • >11.0.0-M1, <11.0.0-M12 → Upgrade to 11.0.0-M12

Additional Resources

• https://github.com/apache/tomcat
• https://osv.dev/vulnerability/GHSA-r6j3-px5g-cq3x
• https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0
• https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6
• https://www.debian.org/security/2023/dsa-5521
• https://www.debian.org/security/2023/dsa-5522
• https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
• http://www.openwall.com/lists/oss-security/2023/10/10/10
• https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
• https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6

What are Similar Vulnerabilities to CVE-2023-45648?

Similar Vulnerabilities: CVE-2021-42340 , CVE-2021-26690 , CVE-2020-1938 , CVE-2019-17567 , CVE-2018-8032