CVE-2014-0099 — Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Tomcat

Description

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

How to fix CVE-2014-0099

To remediate CVE-2014-0099, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 6.0.40 or later
Maven/org.apache.tomcat:tomcat-util—upgrade to 6.0.40 or later

Is CVE-2014-0099 being exploited?

Moderate — EPSS is 37.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 6.0.40
from 0, < 6.0.40

References (60)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0099
PATCHgithub.com/apache/tomcat
WEBadvisories.mageia.org/MGASA-2014-0268.html
WEBlinux.oracle.com/errata/ELSA-2014-0865.html
WEB