CVE-2022-42252: 
Java vulnerability analysis and mitigation

Apache Tomcat versions 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26, and 10.1.0-M1 to 10.1.0 were affected by a security vulnerability identified as CVE-2022-42252. The vulnerability was discovered and disclosed in October 2022, affecting Tomcat installations configured to ignore invalid HTTP headers. This configuration was particularly concerning as it was the default setting for version 8.5.x (CVE Mitre).

The vulnerability stems from Tomcat's handling of invalid Content-Length headers in HTTP requests. When configured with rejectIllegalHeader set to false, the server failed to properly reject requests containing invalid Content-Length headers. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction. The scope is unchanged, with no impact on confidentiality but high impact on integrity (Ubuntu Security).

The primary security impact of this vulnerability is the possibility of request smuggling attacks when Tomcat is deployed behind a reverse proxy that also fails to reject requests with invalid headers. This could potentially lead to unauthorized access and manipulation of request handling, affecting the integrity of the web application (NVD).

The vulnerability has been fixed in Apache Tomcat versions 8.5.83, 9.0.68, and later releases. Various Linux distributions have also released security updates to address this vulnerability. For Ubuntu, fixes are available in version 9.0.58-1ubuntu0.1+esm1 for 22.04 LTS and 9.0.31-1ubuntu0.5 for 20.04 LTS. Debian has addressed this in version 9.0.43-2~deb11u11 for bullseye (Debian Security, Ubuntu Security).