RE: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

[Kursu, Teemu]

Hi,

Just to make sure that I understand this correctly. Does this vulnerability 
affect in both http1.1 and http2 protocols? I mean is this vulnerability still 
relevant if HTTP Upgrade Protocol is not implemented in server.xml? 

Regards,
Teemu Kursu

-----Original Message-----
From: Mark Thomas <ma...@apache.org> 
Sent: maanantai 1. maaliskuuta 2021 13.05
To: Tomcat Users List <users@tomcat.apache.org>
Cc: annou...@tomcat.apache.org; annou...@apache.org; Tomcat Developers List 
<d...@tomcat.apache.org>
Subject: [SECURITY] CVE-2021-25122 Apache Tomcat h2c request mix-up

CVE-2021-25122 h2c request mix-up

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61

Description:
When responding to new h2c connection requests, Apache Tomcat could duplicate 
request headers and a limited amount of request body from one request to 
another meaning user A and user B could both see the results of user A's 
request.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.2 or later
- Upgrade to Apache Tomcat 9.0.43 or later
- Upgrade to Apache Tomcat 8.5.63 or later

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes 
for those versions did not pass.

Credit:
This issue was identified by the Apache Tomcat Security Team.

History:
2021-03-01 Original advisory

References:
[1] 
https://urldefense.com/v3/__https://tomcat.apache.org/security-10.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTy9fRppI$
[2] 
https://urldefense.com/v3/__https://tomcat.apache.org/security-9.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTIcr_boE$
[3] 
https://urldefense.com/v3/__https://tomcat.apache.org/security-8.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTo3daRfo$
[4] 
https://urldefense.com/v3/__https://tomcat.apache.org/security-7.html__;!!AaIhyw!6xXF00kSUgG8NOWtmsLCoiJJUh-IJvGXMrOucbsVMScQa-NJEaSlVcaTaVldwns$