CVE-2014-0227 Apache Tomcat Request Smuggling


Severity

Important

Vendor

Apache Software Foundation

Versions Affected
  • Apache Tomcat 8.0.0-RC1 to 8.0.8 inclusive
  • Apache Tomcat 7.0.0 to 7.0.54 inclusive
  • Apache Tomcat 6.0.0 to 6.0.41 inclusive
Description

It was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request.

Affected Pivotal Products and Versions

Severity is important unless otherwise noted.

  • Pivotal tc Server, runtimes based on Apache Tomcat 8 are not affected
  • Pivotal tc Server, runtimes 7.0.4.A to 7.0.53.B inclusive
  • Pivotal tc Server, runtimes 6.0.25.A to 6.0.41.A inclusive
Mitigation

Users of affected versions should apply the following mitigation:

  • Upgrade to tc Runtime 7.0.55.A or later
  • Upgrade to tc Runtime 6.0.43.A or later
Credit

This issue was identified by the Apache Tomcat security team.

References
History

2015-Feb-09: Initial vulnerability report published.