From the ‘It’s not XSS or CSRF’ files:
The Apache Software Foundation is out this week with patches for its Tomcat Java middleware server. What interested me most about the update was that it was for flaws first reported in 2014.
What also interested me was the type of flaw, which I don’t see all that often.
– Apache Tomcat 8.0.0-RC1 to 8.0.8, Apache Tomcat 7.0.0 to 7.0.54 and Apache Tomcat 6.0.0 to 6.0.41 are all at risk from CVE-2014-0227, which is identified as a Request Smuggling vulnerability.
According to the Apache security advisory,“It was possible to craft a malformed chunk as part of a chucked request that caused Tomcat to read part of the request body as a new request.”
Apache’s advisory notes that, the issue was identified by the Tomcat security team on 30 May 2014 and made public on 9 February 2015.
Why so long for a fix? I’m not exactly sure, but given that the Tomcat security team found the issue on its own, and perhaps wasn’t being exploited (?) as far anyone was aware, the seven month patching delay is plausible.
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist