CVE-2020-1935 Overview
CVE-2020-1935 is an HTTP Request Smuggling vulnerability affecting Apache Tomcat versions 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99. The vulnerability stems from improper HTTP header parsing where the end-of-line parsing approach allowed certain invalid HTTP headers to be parsed as valid. When Apache Tomcat is deployed behind a reverse proxy that incorrectly handles malformed Transfer-Encoding headers, this parsing discrepancy can enable HTTP Request Smuggling attacks.
Critical Impact
HTTP Request Smuggling can allow attackers to bypass security controls, poison web caches, hijack user sessions, or access unauthorized resources when Tomcat is deployed behind a vulnerable reverse proxy configuration.
Affected Products
- Apache Tomcat 9.0.0.M1 to 9.0.30
- Apache Tomcat 8.5.0 to 8.5.50
- Apache Tomcat 7.0.0 to 7.0.99
- Debian Linux 8.0, 9.0, 10.0
- Canonical Ubuntu Linux 16.04 LTS
- openSUSE Leap 15.1
- NetApp Data Availability Services
- NetApp OnCommand System Manager
- Multiple Oracle products including MySQL Enterprise Monitor, Agile PLM, Communications Element Manager
Discovery Timeline
- 2020-02-24 - CVE-2020-1935 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-1935
Vulnerability Analysis
This vulnerability exists in the HTTP header parsing implementation within Apache Tomcat. The core issue lies in how Tomcat interprets end-of-line (EOL) sequences when processing HTTP request headers. The parsing logic was overly permissive, accepting certain malformed headers that should have been rejected according to HTTP specification standards.
HTTP Request Smuggling vulnerabilities exploit discrepancies between how different HTTP processors (such as a front-end reverse proxy and a back-end application server) interpret the boundaries between HTTP requests. When the front-end and back-end disagree on where one request ends and another begins, an attacker can inject malicious content that gets interpreted differently by each component.
The vulnerability requires a specific deployment architecture where Tomcat sits behind a reverse proxy that also exhibits non-standard parsing behavior for Transfer-Encoding headers. The advisory notes that finding a reverse proxy susceptible to this particular manipulation is considered unlikely, which contributes to the medium severity classification.
Root Cause
The root cause is an improper input validation issue (CWE-444: Inconsistent Interpretation of HTTP Requests) in the HTTP header parsing code. The end-of-line detection mechanism accepted invalid header formats that deviated from the HTTP specification (RFC 7230). This permissive parsing created an inconsistency between how Tomcat and potential front-end proxies interpret the same HTTP stream, enabling request smuggling when both components exhibit specific parsing behaviors.
Attack Vector
The attack requires network access to a Tomcat server deployed behind a reverse proxy with specific misconfiguration characteristics. An attacker crafts HTTP requests with malformed Transfer-Encoding headers designed to be interpreted differently by the reverse proxy and Tomcat.
The exploitation scenario involves sending a specially crafted request where the proxy sees one request boundary while Tomcat interprets a different boundary. This allows the attacker to smuggle a hidden request that bypasses the proxy's security controls but gets processed by Tomcat as a legitimate request.
The attack mechanism involves manipulating Transfer-Encoding header formatting with non-standard line terminators or spacing that triggers the parsing discrepancy. When successful, the smuggled request can be used to poison web caches, bypass access controls, or hijack other users' sessions by prepending malicious content to their requests.
Detection Methods for CVE-2020-1935
Indicators of Compromise
- Unusual or malformed Transfer-Encoding headers in HTTP access logs with non-standard characters or formatting
- HTTP requests containing multiple Content-Length or conflicting Transfer-Encoding/Content-Length header combinations
- Unexpected HTTP requests appearing in application logs that don't correlate with front-end proxy logs
- Cache poisoning evidence where cached responses don't match expected content
Detection Strategies
- Implement deep packet inspection to identify HTTP requests with malformed or duplicated Transfer-Encoding headers
- Deploy web application firewall (WAF) rules that detect HTTP request smuggling patterns including header manipulation attempts
- Monitor for discrepancies between reverse proxy access logs and backend Tomcat access logs indicating request splitting
- Use SentinelOne's network detection capabilities to identify anomalous HTTP traffic patterns
Monitoring Recommendations
- Enable detailed HTTP request logging on both reverse proxy and Tomcat instances for correlation analysis
- Configure alerts for HTTP 400 errors that may indicate malformed request rejections
- Monitor for unusual patterns in session handling that could indicate session hijacking via request smuggling
- Review Tomcat logs for requests that bypass expected authentication paths
How to Mitigate CVE-2020-1935
Immediate Actions Required
- Upgrade Apache Tomcat to version 9.0.31 or later, 8.5.51 or later, or 7.0.100 or later
- Review and harden reverse proxy configurations to ensure strict HTTP parsing compliance
- Implement WAF rules to detect and block HTTP request smuggling attempts
- Audit network architecture to identify all Tomcat instances potentially exposed behind reverse proxies
Patch Information
Apache Software Foundation has released patched versions that address this HTTP header parsing vulnerability. Organizations should upgrade to:
- Apache Tomcat 9.0.31 or later for the 9.x branch
- Apache Tomcat 8.5.51 or later for the 8.5.x branch
- Apache Tomcat 7.0.100 or later for the 7.x branch
Additional security patches are available from distribution vendors including Debian Security DSA-4673, Debian Security DSA-4680, and Ubuntu Security Notice USN-4448-1. Oracle has also addressed this vulnerability in affected products through their Critical Patch Update July 2020, October 2020, and January 2021.
Workarounds
- Configure the reverse proxy to normalize and strictly validate all HTTP headers before forwarding to Tomcat
- Implement request header sanitization at the reverse proxy layer to reject requests with malformed Transfer-Encoding values
- Consider deploying additional network segmentation to limit exposure of Tomcat instances
- Enable HTTP/2 where possible, as this protocol is not susceptible to traditional HTTP request smuggling attacks
# Example: Apache HTTP Server mod_headers configuration to sanitize headers
# Add to httpd.conf or virtual host configuration
RequestHeader unset Transfer-Encoding "expr=-z %{HTTP:Transfer-Encoding}"
RequestHeader edit Transfer-Encoding "^.*$" "chunked" "expr=%{HTTP:Transfer-Encoding} =~ /chunked/i"
# Alternatively, use mod_security rules to block suspicious patterns
# ModSecurity rule to detect request smuggling attempts
SecRule REQUEST_HEADERS:Transfer-Encoding "!^chunked$" \
"id:1001,phase:1,deny,status:400,msg:'Invalid Transfer-Encoding header'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
