QID 352290
Date Published: 2021-05-19
QID 352290: Amazon Linux Security Update for tomcat7: AL2012-2021-331
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2020-1935:
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.
1806835:
CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
CVEs related to QID 352290
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| AL2012-2021-331 | Amazon Linux Bare Metal |
docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html |