DX NetOps Spectrum: CVE-2022-42252 Apache Tomcat Request Smuggling vulnerability
search cancel

DX NetOps Spectrum: CVE-2022-42252 Apache Tomcat Request Smuggling vulnerability


Article ID: 260212


Updated On:


CA Spectrum DX NetOps


Apache Tomcat vulnerability CVE-2022-42252 - Apache Tomcat Request Smuggling in DX NetOps Spectrum.

From Apache Tomcat 9 Configuration Reference

If an HTTP request is received that contains an illegal header name or value (e.g. the header name is not a token) this setting determines if the request will be rejected with a 400 response (true) or if the illegal header be ignored (false). The default value is true which will cause the request to be rejected.

As per the below links, the resolution is either upgrade Apache Tomcat, or do the mitigation by "Ensure rejectIllegalHeader is set to true":





Release : 21.2.x & 22.2.x


The attribute rejectIllegalHeader is set to true by default in Apache Tomcat 9.0.x, which is the version used by NetOps Spectrum.

This attribute was set to false by default only in Apache Tomcat 8.5.x - all the subsequent apache Tomcat versions has this value set to true by default.

Refer to https://nvd.nist.gov/vuln/detail/CVE-2022-42252

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only).
In NetOps Spectrum we don’t use this attribute explicitly, and its value is true by default in Apache Tomcat 9.0.x, if not mentioned explicitly.
So the mitigation is already in place for NetOps Spectrum.


Additional Information

NetOps Spectrum and Apache Tomcat component mapping:

Spectrum 10.4.3 (20.2.7 - 20.2.9) -> Tomcat 9.0.41
Spectrum (20.2.10)         -> Tomcat 9.0.43

Spectrum 21.2.2   -> Tomcat 9.0.50  
Spectrum 21.2.4   -> Tomcat 9.0.52  
Spectrum 21.2.6   -> Tomcat 9.0.54  
Spectrum 21.2.8   -> Tomcat 9.0.58 
Spectrum 21.2.12 -> Tomcat 9.0.63

Spectrum 22.2.2 / 22.2.3 -> Tomcat 9.0.65
Spectrum 22.2.4 / 22.2.5 -> Tomcat 9.0.68