CVE-2021-33037 Apache Tomcat HTTP request smuggling vulnerability patched after 6 years

Cybersecurity specialists report the detection of an HTTP request smuggling vulnerability in Apache Tomcat that has been around for at least 5 years. As some may recall, Apache Tomcat is an open source Java servlet container maintained by the Apache Software Foundation.

Tomcat officials revealed that the vulnerability was detected in multiple versions of Apache, as this implementation does not correctly parse the HTTP transfer encoding request header under certain circumstances. This scenario allows threat actors to smuggle requests when using a reverse proxy.

“Tomcat incorrectly ignored the transfer encoding header if the client declared that it would only accept an HTTP/1.0 response; in addition, Tomcat does not ensure that, if present, fragmented coding was the final encoding,” the report states.

Mark Thomas, a member of the Apache Tomcat Project Management Committee, mentioned that the vulnerability has been present in the Tomcat code base since at least 2015: “It may have been present before that, but that’s the earliest release of the current supported versions. On the other hand, tomcat’s review committee, composed only of volunteers, does not check previous versions without support,” Thomas adds.

About the possibilities of attack, the smuggling of HTTP requests is a hacking technique used to interfere with the signature in which a website processes the sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical and allow hackers to evade any security controls, gain unauthorized access to sensitive data, and directly compromise other users of the application.

This bug was reported to the developers by experts Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of Northeastern University. The flaw does not yet receive a score according to the Common Vulnerability Scoring System (CVSS), although Tomcat developers believe it will receive a high score.

Either way, the patches were revealed on June 8, although the announcement was delayed until July 12 because certain versions contained a significant regression in JSP processing, the report concludes.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.