DX NetOps Spectrum: CVE-2022-42252 Apache Tomcat Request Smuggling vulnerability
Article ID: 260212
Updated On:
Products
Issue/Introduction
Apache Tomcat vulnerability CVE-2022-42252 - Apache Tomcat Request Smuggling in DX NetOps Spectrum.
From Apache Tomcat 9 Configuration Reference
rejectIllegalHeader
If an HTTP request is received that contains an illegal header name or value (e.g. the header name is not a token) this setting determines if the request will be rejected with a 400 response (true) or if the illegal header be ignored (false). The default value is true which will cause the request to be rejected.
As per the below links, the resolution is either upgrade Apache Tomcat, or do the mitigation by "Ensure rejectIllegalHeader is set to true":
https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq
https://nvd.nist.gov/vuln/detail/CVE-2022-42252
Environment
Release : 21.2.x & 22.2.x
Resolution
The attribute rejectIllegalHeader is set to true by default in Apache Tomcat 9.0.x, which is the version used by NetOps Spectrum.
This attribute was set to false by default only in Apache Tomcat 8.5.x - all the subsequent apache Tomcat versions has this value set to true by default.
Refer to https://nvd.nist.gov/vuln/detail/CVE-2022-42252
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only).
So the mitigation is already in place for NetOps Spectrum.
Additional Information
NetOps Spectrum and Apache Tomcat component mapping:
Spectrum 10.4.3 (20.2.7 - 20.2.9) -> Tomcat 9.0.41
Spectrum 10.4.3.1 (20.2.10) -> Tomcat 9.0.43
Spectrum 21.2.2 -> Tomcat 9.0.50
Spectrum 21.2.4 -> Tomcat 9.0.52
Spectrum 21.2.6 -> Tomcat 9.0.54
Spectrum 21.2.8 -> Tomcat 9.0.58
Spectrum 21.2.12 -> Tomcat 9.0.63
Spectrum 22.2.2 / 22.2.3 -> Tomcat 9.0.65
Spectrum 22.2.4 / 22.2.5 -> Tomcat 9.0.68
Feedback
