Impact of CVE-2020-1935 (HTTP parsing in Apache Tomcat) Vulnerability in DLO

book

Article ID: 100048662

calendar_today

Updated On:

Description

Reference:

More information on this vulnerability can be found at the National Vulnerability Database at the following link;
https://nvd.nist.gov/vuln/detail/CVE-2020-1935

Resolution

While the National Vulnerability Database states this reverse proxy scenario is unlikely, we can also confirm that Veritas Desktop and Laptop Option (DLO) is not affected by this vulnerability.

In a DLO environment, the web server is the IO Server and DLO clients only sent HTTPS requests to that. These HTTPS requests are routed via the Edge Server (Apache) and only Authenticated requests then reach the IO Server.

Even if the IO server is behind a proxy\firewall, DLO is not at risk, as it only communicates using HTTPS (HTTP + SSL\TLS) and it is confirmed that using SSL mitigates this possible vulnerability.

Issue/Introduction

Veritas Corporation is aware of the issue referred to in CVE-2020-1935, which impacts HTTP parsing in Apache Tomcat; 'HTTP header parsing code allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner' HTTP request smuggling can happen when the malformed or abnormal HTTP requests are interpreted by one or more entities in the data flow between the user and the web server, such as a proxy or a firewall.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"