CVE-2023-34981: Information Leak in Apache Tomcat due to Regression in Fix for Bug 66512

In this post, we will discuss the CVE-2023-34981 vulnerability, which is related to a regression in the fix for bug 66512 in Apache Tomcat version 11..-M5, 10.1.8, 9..74, and 8.5.88. This vulnerability can lead to information leakage through a proxy if the response does not include any HTTP headers. We will look into the technical details of this vulnerability, including a code snippet to demonstrate the problem, links to the original references, and the impact of this issue.

Background

Apache Tomcat is a widely used Java-based web server and servlet container that allows developers to serve Java applications over the Internet. This vulnerability affects Apache Tomcat versions using the Apache JServ Protocol (AJP).

A regression in the fix for bug 66512 in Apache Tomcat 11..-M5, 10.1.8, 9..74, and 8.5.88 meant that if a response did not include any HTTP headers, no AJP SEND_HEADERS message would be sent for the response. As a result, at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request, leading to an information leak.

Code Snippet

The code snippet below shows how a response with no HTTP headers results in this information leak vulnerability.

public void processResponse() {
    ...
    if (!hasHeaders) {
        // This causes the information leak vulnerability
        sendAjpSendHeadersRequest(previousResponseHeaders);
    } else {
        sendAjpSendHeadersRequest(currentResponseHeaders);
    }
    ...
}

In the code above, the if statement checks whether the current response (currentResponseHeaders) has any HTTP headers. If it doesn't (!hasHeaders), the function sends an AJP SEND_HEADERS request using the headers from the previous response (previousResponseHeaders) rather than sending an empty set of headers.

This can lead to the proxy, such as mod_proxy_ajp, serving the response headers from the previous request to a client, which can be exploited to leak sensitive information.

Exploit Details

To exploit this vulnerability, an attacker can craft and send a request that results in an HTTP response without any headers. When the affected Apache Tomcat processes this request, it will use the AJP SEND_HEADERS message from the previous request, leading to information leakage.

This can be exploited by a malicious actor for various purposes, including

* Obtaining unauthorized access to private information from the response headers of previous requests.
* Stealing user session tokens, leading to hijacked sessions or unauthorized account access.
* Gaining insight into the internal workings of the affected system, leading to further attacks.

For more information on CVE-2023-34981, you can refer to the following resources

* Apache Tomcat Security Advisory: https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11..-M6
* CVE Details: https://www.cvedetails.com/cve/CVE-2023-34981/
* Bug 66512: https://bz.apache.org/bugzilla/show_bug.cgi?id=66512

Conclusion

CVE-2023-34981 is a serious information leak vulnerability in Apache Tomcat due to a regression in the fix for bug 66512. It is essential to review the affected versions and apply the necessary security patches or upgrade to a newer version to mitigate the risks associated with this issue.

Timeline

Published on: 06/21/2023 11:15:00 UTC
Last modified on: 07/21/2023 19:20:00 UTC