CVE-2023-34981: Apache Tomcat Information Disclosure Vulnerability

CVE-2023-34981, an information disclosure vulnerability recently exposed in Apache Tomcat. Brought to light by Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc., this vulnerability poses a significant threat, earning itself an “Important” severity status.

Apache Tomcat, developed by the Apache Software Foundation, is an open-source implementation of Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. As a widely adopted software, any vulnerability identified in its core poses a significant risk to its vast user base.

CVE-2023-34981 affects the following versions of Apache Tomcat:

– Apache Tomcat 11.0.0-M5
– Apache Tomcat 10.1.8
– Apache Tomcat 9.0.74
– Apache Tomcat 8.5.88

This vulnerability is a twisty tale of an attempted solution becoming the source of another problem. The saga began with the resolution of bug 66512, designed to address an entirely different issue. However, this solution unintentionally sparked a regression, becoming the culprit for the vulnerability we’re now facing: bug 66591.

So, how does CVE-2023-34981 operate? If a response does not have any HTTP headers set, no AJP SEND_HEADERS message is sent. The consequence is that AJP-based proxies, such as mod_proxy_ajp, reuse the response headers from the previous request for the current request. The result? An unintended spillage of information, opens the doors to potential exploitation.

Though the vulnerability is significant, the good news is the Apache Software Foundation has acted swiftly, releasing newer, fortified versions of Tomcat that address this issue. The recommendation for users of the affected versions is straightforward – upgrade.

Mitigation options include:

– Upgrading to Apache Tomcat 11.0.0-M6 or later
– Upgrading to Apache Tomcat 10.1.9 or later
– Upgrading to Apache Tomcat 9.0.75 or later
– Upgrading to Apache Tomcat 8.5.89 or later