CVE-2023-45648 & CVE-2023-42795: Two high severity flaws in Apache Tomcat

by do son · October 10, 2023

Apache Tomcat, the stalwart of the open-source Java community, offers a pure Java HTTP web server environment. Synonymous with efficiency, it serves as the backbone for prominent web applications like WordPress, Drupal, and Jira. However, even the mightiest fortresses face challenges.

Recently, three security vulnerabilities have been discovered in Apache Tomcat. These vulnerabilities can be exploited to cause denial of service, request smuggling, and information disclosure.

1. CVE-2023-42794 (Severity: Low): Apache Tomcat – denial of service

Tomcat’s DoS vulnerability has its origins in a glitch in the internal fork of a Commons FileUpload. This flaw manifested on Windows systems when a web application, having opened a stream for an uploaded file, failed to close it. The file, anchored to the disk, would never face deletion, slowly eating up storage space, and eventually causing a full-fledged DoS due to maxed-out disk storage.

Affected Versions:

Apache Tomcat 9.0.70 to 9.0.80
Apache Tomcat 8.5.85 to 8.5.93

Safety Steps:

Upgrade to Apache Tomcat 9.0.81 or 8.5.94.

2. CVE-2023-45648 (Severity: Important): Apache Tomcat – Request Smuggling

Tomcat encountered a chink in its armor when handling HTTP trailer headers. Due to a parsing error, an ingeniously crafted, invalid trailer header could deceive Tomcat into interpreting a single request as multiple. The CVE-2023-45648 vulnerability turns particularly sinister behind a reverse proxy, paving the way for request smuggling.

Affected Versions:

Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93

Safety Steps:

Update to versions 11.0.0-M12, 10.1.14, 9.0.81, or 8.5.94 for sanctuary.

3. CVE-2023-42795 (Severity: Important): Apache Tomcat – information disclosure

In the constant churn of recycling internal objects for optimum performance, Tomcat stumbled. Certain scenarios saw the system inadvertently skipping segments of the recycling procedure, leading to a leakage: information from one request/response would surreptitiously slip into the subsequent request/response.

Affected Versions: