Fwd: [thredds] [SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

[Roy Mendelssohn - NOAA Federal]

We strongly recommend that people upgrade their tomcat instance. 

-Roy

Begin forwarded message:

From: Jennifer Oxelson Ganter <oxe...@ucar.edu>

Subject: [thredds] Fwd: [SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling

Date: November 28, 2023 at 7:45:10 AM PST

To: THREDDS community <thr...@unidata.ucar.edu>

Good morning all,

Another Tomcat CVE reported.  Please upgrade to the latest release, especially if you are running your TDS behind a reverse proxy.  

---------- Forwarded message ---------
From: Mark Thomas <ma...@apache.org>
Date: Tue, Nov 28, 2023 at 8:32 AM
Subject: [SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling
To: us...@tomcat.apache.org <us...@tomcat.apache.org>
Cc: <anno...@apache.org>, anno...@tomcat.apache.org <anno...@tomcat.apache.org>, Tomcat Developers List <d...@tomcat.apache.org>

CVE-2023-46589 Apache Tomcat - Request Smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M10
Apache Tomcat 10.1.0-M1 to 10.1.15
Apache Tomcat 9.0.0-M1 to 9.0.82
Apache Tomcat 8.5.0 to 8.5.95

Description:
Tomcat did not correctly parse HTTP trailer headers. A specially crafted
trailer header that exceeded the header size limit could cause Tomcat to
treat a single request as multiple requests leading to the possibility
of request smuggling when behind a reverse proxy.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M11 or later
- Upgrade to Apache Tomcat 10.1.16 or later
- Upgrade to Apache Tomcat 9.0.83 or later
- Upgrade to Apache Tomcat 8.5.96 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security team
by Norihito Aimoto (OSSTech Corporation).

History:
2023-11-28 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

_______________________________________________
NOTE: All exchanges posted to Unidata maintained email lists are
recorded in the Unidata inquiry tracking system and made publicly
available through the web.  Users who post to any of the lists we
maintain are reminded to remove any personal information that they
do not want to be made public.


thredds mailing list
thr...@unidata.ucar.edu
For list information or to unsubscribe,  visit: https://www.unidata.ucar.edu/mailing_lists/

**********************
"The contents of this message do not reflect any position of the U.S. Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center

***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Men...@noaa.gov www: https://www.pfeg.noaa.gov/

"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected" 
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.