CVE-2021-33037
Vulnerability Summary
Timeline
Description
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 1.86%• Percentile: 83%
Techniques & Countermeasures
- CWE-444•Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Affected Systems
- apache software foundation•apache tomcat
Apache Tomcat 10 10.0.0-M1 to 10.0.6 | Apache Tomcat 9 9.0.0.M1 to 9.0.46 | Apache Tomcat 8 8.5.0 to 8.5.66
- Unknown•Tomcat
≥ 8.5.0, ≤ 8.5.66 | > 9.0.0, ≤ 9.0.46 | > 10.0.0, ≤ 10.0.6
- apache•tomee
8.0.6
- debian•debian_linux
9.0 | 10.0
- org.apache.tomcat•tomcat
≥ 10.0.0-M1, < 10.0.7 | ≥ 9.0.0-M1, < 9.0.48 | ≥ 8.5.0, < 8.5.68
- mcafee•epolicy_orchestrator
< 5.10.0 | 5.10.0 | 5.10.0:update_1 | 5.10.0:update_10 | 5.10.0:update_2 | 5.10.0:update_3 | 5.10.0:update_4 | 5.10.0:update_5 | 5.10.0:update_6 | 5.10.0:update_7 | 5.10.0:update_8 | 5.10.0:update_9
- oracle•agile_plm
9.3.6
- oracle•communications_cloud_native_core_policy
1.14.0
- oracle•communications_cloud_native_core_service_communication_proxy
1.14.0
- oracle•communications_diameter_signaling_router
≥ 8.0.0.0, ≤ 8.5.0.2
- oracle•communications_instant_messaging_server
10.0.1.5.0
- oracle•communications_policy_management
12.5.0
- oracle•communications_pricing_design_center
12.0.0.3.0
- oracle•communications_session_report_manager
≥ 8.0.0, ≤ 8.2.4.0
- oracle•communications_session_route_manager
≥ 8.0.0, ≤ 8.2.4
- oracle•graph_server_and_client
< 21.4
- oracle•healthcare_translational_research
4.1.0
- oracle•hospitality_cruise_shipboard_property_management_system
20.1.0
- oracle•instantis_enterprisetrack
17.1 | 17.2 | 17.3
- oracle•managed_file_transfer
12.2.1.3.0 | 12.2.1.4.0
- oracle•mysql_enterprise_monitor
≤ 8.0.25
- oracle•sd-wan_edge
9.0 | 9.1
- oracle•secure_global_desktop
5.6
- oracle•utilities_testing_accelerator
6.0.0.1.1 | 6.0.0.2.2 | 6.0.0.3.1
References (38)
- https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
- https://www.debian.org/security/2021/dsa-4952
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.gentoo.org/glsa/202208-34
- https://nvd.nist.gov/vuln/detail/CVE-2021-33037
- https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8
- https://github.com/apache/tomcat/commit/19d11556d0db99df291df33605f137976d152475
- https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc
- https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e
- https://github.com/apache/tomcat/commit/506134f957a4be2c5b4a9334f7b3435fc954dbc1
- https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02
- https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0
- https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b
- https://github.com/apache/tomcat/commit/eee0d024c1b3171560c92eaba79dd6eb8eb11bcd
- https://security.netapp.com/advisory/ntap-20210827-0007
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://lists.apache.org/thread/kovg1bft77xo34ksrcskh5nl50p69962
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E
- https://github.com/apache/tomcat