search cancel

Broadcom API Gateway 10.1 : CVE-2022-42252 Apache Tomcat Vulnerabilities

book

Article ID: 258443

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

CVE-2022-42252 : If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42252

Environment

Release: 10.1

Cause

CVE-2022-4225 is a security vulnerability that affects certain versions of the Apache Tomcat Servlet Container. 
The vulnerability is related to the way the Tomcat container processes certain headers in HTTP requests.
An attacker could exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable Tomcat server. 
This could allow the attacker to inject malicious code into the server, potentially leading to a complete compromise of the system.

Resolution

Broadcom API Gateway 10.1 uses Apache Tomcat version 9.0.62, which was reported to be a release affected by this vulnerability.
However, the API Gateway product is NOT affected because it is not explicitly setting the 'rejectIllegalHeader' attribute.

This means that the vulnerability cannot be exploited against API Gateway 10.1 product