CVE-2020-10687 Overview
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
Critical Impact
HTTP Request Smuggling vulnerability enabling web cache poisoning, cross-site scripting attacks, and unauthorized access to sensitive information from other users' requests.
Affected Products
- Red Hat Undertow (all versions before 2.2.0.Final)
- Red Hat JBoss Enterprise Application Platform (versions 7.2, 7.3, 7.4)
- Red Hat Single Sign-On
- Red Hat Enterprise Linux (versions 6.0, 7.0, 8.0)
Discovery Timeline
- 2020-09-23 - CVE CVE-2020-10687 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-10687
Vulnerability Analysis
This HTTP Request Smuggling vulnerability (CWE-444) in Red Hat Undertow arises from insufficient validation of HTTP request characters. The flaw is a continuation of issues related to CVE-2017-2666, affecting both HTTP/1.x and HTTP/2 protocol implementations within the Undertow web server.
The vulnerability occurs when Undertow improperly processes HTTP requests containing invalid characters that should be rejected according to HTTP specifications. This permissive parsing behavior creates a desynchronization between how frontend proxies and backend servers interpret HTTP request boundaries, enabling request smuggling attacks.
Successful exploitation requires network access and the presence of intermediary proxy servers or caching infrastructure, which is common in enterprise deployments. The impact includes potential exposure of confidential data from other users' requests, web cache poisoning that could affect many users, and the ability to inject malicious content through XSS attacks.
Root Cause
The root cause lies in Undertow's HTTP parser accepting invalid characters in HTTP requests that violate RFC specifications. This permissive parsing creates inconsistencies between how different components in a request pipeline (load balancers, reverse proxies, and the Undertow server) interpret request boundaries. When these interpretations differ, an attacker can craft requests that appear as one request to the frontend but are processed as multiple requests by the backend, or vice versa.
Attack Vector
The attack is network-based and targets environments where Undertow operates behind proxy servers or CDN infrastructure. An attacker sends specially crafted HTTP requests containing invalid characters that exploit parsing inconsistencies. The malformed request boundaries allow the attacker to:
- Inject requests that get appended to other users' legitimate requests
- Poison shared web caches with malicious content that gets served to other users
- Bypass security controls that operate at the proxy layer
- Extract sensitive information from responses intended for other users
The attack typically leverages discrepancies in how Content-Length and Transfer-Encoding headers are processed, or exploits invalid characters that are stripped or interpreted differently by various HTTP parsers in the request chain.
Detection Methods for CVE-2020-10687
Indicators of Compromise
- Unusual HTTP requests containing non-standard or control characters in headers or request lines
- Discrepancies between proxy logs and backend server logs indicating request parsing inconsistencies
- Unexpected cache behavior where cached responses don't match the original requests
- Evidence of XSS payloads in cached content or logs
Detection Strategies
- Implement deep packet inspection to identify malformed HTTP requests with invalid characters
- Monitor for anomalies in Content-Length and Transfer-Encoding header combinations
- Compare request logs between frontend proxies and backend Undertow servers to identify parsing discrepancies
- Deploy web application firewalls (WAF) with HTTP request smuggling detection rules
Monitoring Recommendations
- Enable verbose HTTP request logging on both proxy and Undertow server layers
- Configure alerting for requests containing uncommon control characters or encoding anomalies
- Monitor cache hit ratios and investigate sudden changes that could indicate cache poisoning
- Review application logs for evidence of unauthorized data access or XSS execution
How to Mitigate CVE-2020-10687
Immediate Actions Required
- Upgrade Undertow to version 2.2.0.Final or later immediately
- Update Red Hat JBoss Enterprise Application Platform to the latest patched version
- Review and update any dependent applications or middleware that use Undertow
- Implement strict HTTP request validation at the proxy/load balancer level as an additional defense layer
Patch Information
Red Hat has addressed this vulnerability in Undertow version 2.2.0.Final. Organizations should upgrade to this version or later to remediate the HTTP request smuggling flaw. For JBoss Enterprise Application Platform deployments, consult the Red Hat Bug Report #1785049 for specific patch guidance. Additional vendor advisories are available from NetApp Security Advisory NTAP-20220210-0015 for affected NetApp products.
Workarounds
- Configure frontend proxies to normalize and strictly validate HTTP requests before forwarding to Undertow
- Implement request filtering to reject requests containing invalid or unexpected characters
- Disable HTTP/2 if not required, as the vulnerability affects both HTTP/1.x and HTTP/2
- Use separate, non-shared caches where possible to limit the impact of potential cache poisoning
- Deploy a Web Application Firewall (WAF) with HTTP smuggling detection capabilities as an interim measure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
