Is Messaging Gateway affected by CVE-2021-33037

book

Article ID: 223334

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

CVE-2021-33037

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Environment

Messaging Gateway Control Center

Resolution

No supported releases of Messaging Gateway (10.7.x) use an affected verson of Apache Tomcat.