CVE-2021-33037

Summary

CVE	CVE-2021-33037
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-07-12 15:15:00 UTC
Updated	2023-11-07 03:35:00 UTC
Description	Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Risk And Classification

Problem Types: CWE-444

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomcat	All	All	All	All
Application	Apache	Tomee	8.0.6	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Mcafee	Epolicy Orchestrator	All	All	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	-	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_1	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_10	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_2	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_3	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_4	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_5	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_6	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_7	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_8	All	All
Application	Mcafee	Epolicy Orchestrator	5.10.0	update_9	All	All
Application	Oracle	Agile Plm	9.3.6	All	All	All
Application	Oracle	Communications Cloud Native Core Policy	1.14.0	All	All	All
Application	Oracle	Communications Cloud Native Core Service Communication Proxy	1.14.0	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Diameter Signaling Router	All	All	All	All
Application	Oracle	Communications Instant Messaging Server	10.0.1.5.0	All	All	All
Application	Oracle	Communications Policy Management	12.5.0	All	All	All
Application	Oracle	Communications Pricing Design Center	12.0.0.3.0	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Graph Server And Client	All	All	All	All
Application	Oracle	Healthcare Translational Research	4.1.0	All	All	All
Application	Oracle	Hospitality Cruise Shipboard Property Management System	20.1.0	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.2	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.3	All	All	All
Application	Oracle	Managed File Transfer	12.2.1.3.0	All	All	All
Application	Oracle	Managed File Transfer	12.2.1.4.0	All	All	All
Application	Oracle	Mysql Enterprise Monitor	All	All	All	All
Application	Oracle	Sd-wan Edge	9.0	All	All	All
Application	Oracle	Sd-wan Edge	9.1	All	All	All
Application	Oracle	Secure Global Desktop	5.6	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.1.1	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.2.2	All	All	All
Application	Oracle	Utilities Testing Accelerator	6.0.0.3.1	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
[tomee-commits] 20210913 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
[tomee-commits] 20210914 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
July 2021 Apache Tomcat Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
Security Bulletin - ePolicy Orchestrator update addresses two product vulnerabilities (CVE-2021-31834 and CVE-2021-31835) and updates Java, OpenSSL, and Tomcat	CONFIRM	kc.mcafee.com
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - July 2021	N/A	www.oracle.com
[tomee-commits] 20210916 [jira] [Resolved] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
[tomee-commits] 20210728 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
Pony Mail!	MISC	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
[SECURITY] [DLA 2733-1] tomcat8 security update	MLIST	lists.debian.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Debian -- Security Information -- DSA-4952-1 tomcat9	DEBIAN	www.debian.org
Pony Mail!	MLIST	lists.apache.org
Apache Tomcat: Multiple Vulnerabilities (GLSA 202208-34) — Gentoo security	GENTOO	security.gentoo.org
[tomee-commits] 20210728 [jira] [Created] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[tomee-commits] 20210830 [jira] [Commented] (TOMEE-3778) Update embedded Tomcat to 9.0.48 or later to address CVE-2021-33037		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: The Apache Tomcat Security Team would like to thank Bahruz Jabiyev, Steven Sprecher and Kaan Onarlioglu of NEU seclab for identifying and reporting this issue.

Legacy QID Mappings

150367 Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2021-33037)
178743 Debian Security Update for tomcat8 (DLA 2733-1)
178746 Debian Security Update for tomcat9 (DSA 4952-1)
180184 Debian Security Update for tomcat9 (CVE-2021-33037)
198724 Ubuntu Security Notification for Tomcat Vulnerabilities (USN-5360-1)
239916 Red Hat Update for red hat jboss web server 5.6.0 (RHSA-2021:4861)
296065 Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)
352800 Amazon Linux Security Advisory for tomcat8: ALAS-2021-1535
356206 Amazon Linux Security Advisory for tomcat : ALASTOMCAT9-2023-007
356267 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-007
376076 F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Apache Tomcat Vulnerability (K32469285)
690073 Free Berkeley Software Distribution (FreeBSD) Security Update for tomcat (d34bef0b-f312-11eb-b12b-fc4dd43e2b6a)
710609 Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202208-34)
730141 Apache Tomcat HTTP Request Smuggling Vulnerability (CVE-2021-33037)
730327 Atlassian Jira Server Multiple Security Vulnerabilities (JRASERVER-73171, JRASERVER-73071, JRASERVER-73070)
751320 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:3602-1)
751355 OpenSUSE Security Update for tomcat (openSUSE-SU-2021:3672-1)
751364 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:3669-1)
751365 SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2021:3670-1)
751370 OpenSUSE Security Update for tomcat (openSUSE-SU-2021:1490-1)
980269 Java (maven) Security Update for org.apache.tomcat:tomcat (GHSA-4vww-mc66-62m6)