Linux Security Advisories

CVE-2014-0227 – Apache Tomcat – Request Smuggling

CVE-2014-0227 Request Smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.41

It was possible to craft a malformed chunk as part of a chucked request
that caused Tomcat to read part of the request body as a new request.

Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.9 or later
- - Upgrade to Apache Tomcat 7.0.55 or later
- - Upgrade to Apache Tomcat 6.0.43 or later
  (6.0.42 contains the fix but was not released)

This issue was identified by the Tomcat security team.


Authority references

Forum references