Tomcat Security Notice

Ryan Carrie shared this announcement 4 months ago

Tomcat Vulnerability - HTTP Request Smuggling

It was disclosed that Tomcat | Yellowfin, when hosted behind a reverse proxy, is vulnerable to the following listing. If you are not hosted behind a reverse proxy, there is no required action to take. For existing deployments who are affected by this please follow our Tomcat Upgrade article, as the Yellowfin upgrade installer is not designed to upgrade Tomcat.



Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header, sometimes leading to the possibility of request smuggling when used with a reverse proxy. Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response. Tomcat would honor the identify encoding, and did not ensure that the chunked encoding was the final encoding.

Yellowfin full installations will be patched to include Tomcat 9.0.48, which will address this listing.  This announcement will be updated to include further information regarding this as it is available.