ALAS2-2023-2216

Amazon Linux 2 Security Advisory: ALAS-2023-2216
Advisory Release Date: 2023-08-17 11:58 Pacific
Advisory Updated Date: 2023-08-23 00:18 Pacific
Severity: Medium
Issue Overview:

A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability. (CVE-2020-1935)


Affected Packages:

tomcat


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update tomcat to update your system.

New Packages:
noarch:
    tomcat-7.0.76-10.amzn2.0.6.noarch
    tomcat-admin-webapps-7.0.76-10.amzn2.0.6.noarch
    tomcat-docs-webapp-7.0.76-10.amzn2.0.6.noarch
    tomcat-javadoc-7.0.76-10.amzn2.0.6.noarch
    tomcat-jsvc-7.0.76-10.amzn2.0.6.noarch
    tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.6.noarch
    tomcat-lib-7.0.76-10.amzn2.0.6.noarch
    tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.6.noarch
    tomcat-el-2.2-api-7.0.76-10.amzn2.0.6.noarch
    tomcat-webapps-7.0.76-10.amzn2.0.6.noarch

src:
    tomcat-7.0.76-10.amzn2.0.6.src

Additional References

Red Hat: CVE-2020-1935

Mitre: CVE-2020-1935