CVE-2023-46589
Improper Input Validation vulnerability in tomcat-catalina (Maven)
What is CVE-2023-46589 About?
This Improper Input Validation vulnerability in Apache Tomcat incorrectly parses HTTP trailer headers, leading to potential request smuggling. Maliciously crafted trailer headers exceeding size limits can cause Tomcat to misinterpret a single request as multiple, impacting systems behind reverse proxies. Exploitation requires specific HTTP header manipulation and a reverse proxy setup.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.16
- >11.0.0-M1, <11.0.0-M11
- >8.5.0, <8.5.96
- >9.0.0-M1, <9.0.83
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.16
- >11.0.0-M1, <11.0.0-M11
- >8.5.0, <8.5.96
- >9.0.0-M1, <9.0.83
Technical Details
The vulnerability specifically lies in how Apache Tomcat processes HTTP trailer headers. When a trailer header exceeds an internal size limit, Tomcat's parsing logic fails to handle it correctly. This parsing error can lead to a desynchronization between Tomcat and an upstream reverse proxy. The reverse proxy might interpret the request boundaries differently than Tomcat, causing a single HTTP request to be processed as multiple requests by Tomcat. This 'request splitting' or 'request smuggling' can be exploited to bypass security controls, access unauthorized resources, or poison web caches.
What is the Impact of CVE-2023-46589?
Successful exploitation may allow attackers to bypass security controls, access unauthorized resources, poison web caches, or interfere with application logic.
What is the Exploitability of CVE-2023-46589?
Exploitation of this vulnerability is moderately complex, requiring an attacker to manipulate HTTP trailer headers to exceed defined size limits. A significant prerequisite is that the vulnerable Tomcat instance must be deployed behind a reverse proxy, as the vulnerability leverages the desynchronization between the proxy and Tomcat's parsing. No specific authentication or privilege requirements are needed to send the malicious request, as it operates at the HTTP protocol level. The attack can be launched remotely. The risk of exploitation increases if web applications are designed with complex routing based on request content or if caching mechanisms are in place that could be poisoned.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-46589?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina
- >8.5.0, <8.5.96 → Upgrade to 8.5.96
- org.apache.tomcat:tomcat-catalina
- >9.0.0-M1, <9.0.83 → Upgrade to 9.0.83
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.16 → Upgrade to 10.1.16
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.0-M11 → Upgrade to 11.0.0-M11
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.96 → Upgrade to 8.5.96
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0-M1, <9.0.83 → Upgrade to 9.0.83
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.16 → Upgrade to 10.1.16
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.0-M11 → Upgrade to 11.0.0-M11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-fccv-jmmp-qg76
- https://github.com/apache/tomcat
- http://www.openwall.com/lists/oss-security/2023/11/28/2
- https://security.netapp.com/advisory/ntap-20231214-0009
- https://www.openwall.com/lists/oss-security/2023/11/28/2
- https://www.openwall.com/lists/oss-security/2023/11/28/2
- https://tomcat.apache.org/security-11.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-46589
- https://security.netapp.com/advisory/ntap-20231214-0009/
- https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
What are Similar Vulnerabilities to CVE-2023-46589?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2019-17558 , CVE-2007-6031 , CVE-2023-38545 , CVE-2023-32314
