CVE-2019-17569

Description

The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

How to fix CVE-2019-17569

To remediate CVE-2019-17569, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.56-3+really7.0.100-1 or later
• —upgrade to 8.5.54-0+deb9u1 or later
• —upgrade to 9.0.31-1 or later
• —upgrade to 7.0.100 or later
• —upgrade to 7.0.100 or later

Is CVE-2019-17569 being exploited?

Moderate — EPSS is 6.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

• from 0, < 7.0.56-3+really7.0.100-1
• from 0, < 8.5.54-0+deb9u1
• from 0, < 9.0.31-1
• >= 7.0.98, < 7.0.100
• >= 7.0.98, < 7.0.100

CVSS scores

References (13)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-17569
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-17569
• WEBlists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
• WEBlists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E