![]() ![]() Hence, we highly recommend to upgrade to the Apache Tomcat 10.0.7, 9.0.48, 8.5.68 versions or to the latest version of Apache Tomcat. The vulnerability has been discovered in the current year but it’s been prevalent and observed frequently. Once the vulnerability is successfully detected by Qualys WAS, users shall see similar kind of results in the vulnerability scan report: Solution This request helps in retrieving the installed version of Apache Tomcat in the banner of the response. Threat ID: CC-4030 Threat Severity: Information only Published: 2 February 2022 2:47 PM. ![]() We make a request to GET /QUALYSTESTRANDOM.1tmhl HTTP/1.0. Apache Releases Security Update for Apache in Apache Tomcat. This vulnerability is detected based on the installed version. Detecting vulnerability with Qualys WASĬustomers can detect this vulnerability with Qualys Web Application Scanning using QID 150367. You can create a release to package software, along with release notes and links to binary files, for other people to use. Specifically – Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response Tomcat honored the identify encoding but did not ensure that, if present, the chunked encoding was the final encoding. The potential for the vulnerability is a high possibility when the server is configured with a reverse proxy. Not parsing the request header based on the specification leads to the possibility to request smuggling. This vulnerability occurs because vulnerable versions of Apache tomcat do not correctly parse the HTTP transfer-encoding request header in some circumstances. ![]() Apache Tomcat 3.3 is the latest continuation of the Apache Tomcat 3.x architecture and it is more advanced then 3.2.4, which is the 'old' production quality release. About CVE-2021-33037Īpache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.Īccording to CVE-2021-33037, Apache tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 are vulnerable to this vulnerability. There are several versions of Apache Tomcat 3.x currently available for download: Version 3.3 is the current production quality release for the Servlet 2.2 and JSP 1.1 specifications. Qualys highly recommends upgrading all affected instances of Tomcat. Once detected, the vulnerability can be remediated by upgrading to Apache Tomcat 10.0.7, 9.0.48, 8.5.68 versions or to the latest version of Apache Tomcat. Qualys Web Application Scanning has added a new QID that detects this vulnerability by sending a request to the target server to determine if it is exploitable. HTTP Request Smuggling (HRS) is a web application vulnerability that enables an attacker to craft a single request that hides a second request within the body of the first request. Server version: SpringSource tc Runtime/2.0.4.RELEASE Server built: Aug0710 Server number: 6.0.28.29 OS Name: Linux OS Version: 2.6.18-194.11.1.el5 Architecture: i386 JVM Version: 1.6.021-b06 JVM Vendor: Sun Microsystems Inc. A vulnerability (CVE-2021-33037) discovered this year in Apache Tomcat causes incorrect parsing of the HTTP transfer-encoding request header in some circumstances, leading to the possibility of HTTP Request Smuggling (HRS) when used with a reverse proxy. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |