PSC: Is Carbon Black's Cloud vulnerable to recent HTTP desync attacks?
Article ID: 290167
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Is the PSC vulnerable to the HTTP desync/request smuggling attacks described in the resources below?
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
https://nvd.nist.gov/vuln/detail/CVE-2014-0099
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
https://nvd.nist.gov/vuln/detail/CVE-2014-0099
Environment
- Predictive Security Cloud (PSC): All Versions
- CB Defense
- CB LiveOps
- CB ThreatHunter
- CB ThreatSight
Resolution
No. This vulnerability is in unpatched versions of Apache Tomcat.
The PSC does not use these unpatched versions of Apache Tomcat, and we regularly scan our infrastructure for vulnerabilities and implement the requisite patches.
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
The PSC does not use these unpatched versions of Apache Tomcat, and we regularly scan our infrastructure for vulnerabilities and implement the requisite patches.
Feedback
Yes
No
Powered by
