CVE-2021-25122: Apache Tomcat Information Disclosure Flaw

CVE-2021-25122 Overview

CVE-2021-25122 is an information disclosure vulnerability in Apache Tomcat that affects the HTTP/2 (h2c) connection handling mechanism. When responding to new h2c connection requests, vulnerable versions of Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another. This means that user A and user B could both see the results of user A's request, potentially exposing sensitive information across user sessions.

This vulnerability impacts applications relying on Apache Tomcat for web serving where HTTP/2 clear-text (h2c) connections are enabled. The flaw can lead to unauthorized disclosure of confidential information, including authentication tokens, session data, and other sensitive request content.

Critical Impact
Sensitive request headers and body data from one user may be inadvertently exposed to another user during h2c connection handling, leading to potential data leakage and privacy violations.

Affected Products

Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61
Debian Linux 9.0 and 10.0
Oracle Agile PLM 9.3.3 and 9.3.6
Oracle Communications Cloud Native Core Policy 1.14.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.6.0
Oracle Communications Instant Messaging Server 10.0.1.5.0
Oracle Database 12.2.0.1, 19c, and 21c (Enterprise)
Oracle Graph Server and Client (through 21.3.0)
Oracle Instantis EnterpriseTrack 17.1, 17.2, and 17.3
Oracle Managed File Transfer 12.2.1.3.0 and 12.2.1.4.0
Oracle MySQL Enterprise Monitor
Oracle Siebel UI Framework

Discovery Timeline

2021-03-01 - CVE-2021-25122 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-25122

Vulnerability Analysis

The vulnerability resides in Apache Tomcat's HTTP/2 connection upgrade handling, specifically during the processing of h2c (HTTP/2 cleartext) connection requests. The HTTP/2 protocol supports an upgrade mechanism where clients can request to switch from HTTP/1.1 to HTTP/2 over an unencrypted connection. During this upgrade process, Apache Tomcat improperly handles the buffering and isolation of request data between different client connections.

The root cause relates to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). When processing concurrent h2c upgrade requests, the affected Tomcat versions fail to properly segregate request context data, allowing request headers and portions of the request body to leak between different user sessions. This vulnerability is particularly concerning in multi-tenant environments or applications handling sensitive user data.

Root Cause

The information disclosure occurs due to improper isolation of HTTP/2 stream data during the h2c connection upgrade process. Apache Tomcat's HTTP/2 implementation maintains internal buffers and state for managing multiplexed streams. When a new h2c connection is established, the server processes the upgrade request and transitions the connection to HTTP/2. During this transition, improper buffer management can cause request data from one connection to be inadvertently associated with another connection's response context.

The vulnerability specifically affects the request header handling and limited portions of the request body. The duplication of headers is particularly dangerous as these often contain authentication credentials, session tokens, and other sensitive metadata that should remain confidential to the originating client.

Attack Vector

This vulnerability can be exploited remotely over the network without requiring any authentication or user interaction. An attacker positioned on the same Tomcat server could potentially receive duplicated request data from other users by timing h2c connection requests to coincide with legitimate user activity.

The attack scenario involves:

An attacker establishes multiple h2c connection upgrade requests to a vulnerable Tomcat server
Legitimate users make requests to the same server containing sensitive data
Due to the buffer isolation flaw, portions of the legitimate user's request headers or body may be duplicated into the attacker's response
The attacker can harvest exposed authentication tokens, session identifiers, or other sensitive information

The vulnerability requires the h2c protocol to be enabled on the Tomcat server. Servers using only HTTPS with HTTP/2 over TLS (h2) or standard HTTP/1.1 connections are not directly affected by this specific issue.

Detection Methods for CVE-2021-25122

Indicators of Compromise

Unexpected or unexplained data appearing in HTTP/2 responses that does not correlate with the originating request
User reports of seeing other users' data or authentication information in their responses
Anomalous h2c connection upgrade patterns in access logs, particularly rapid successive upgrade requests
Presence of authentication tokens or session data in logs or responses for unrelated user sessions

Detection Strategies

Monitor Apache Tomcat access logs for unusual h2c connection upgrade request patterns, especially high-frequency upgrades from single sources
Implement application-level logging to track request/response data correlation and flag any mismatches
Deploy network intrusion detection systems (IDS) with signatures for h2c protocol abuse patterns
Use SentinelOne's Singularity XDR platform to correlate endpoint and network telemetry for detecting information leakage indicators

Monitoring Recommendations

Enable detailed access logging on Apache Tomcat servers to capture h2c connection upgrade events
Configure alerts for unexpected data patterns in HTTP responses, particularly headers that should be unique per session
Review web application firewall (WAF) logs for anomalous HTTP/2 traffic patterns
Implement request tracing with correlation IDs to detect cross-contamination of request data

How to Mitigate CVE-2021-25122

Immediate Actions Required

Upgrade Apache Tomcat immediately to version 10.0.2+, 9.0.43+, or 8.5.63+ depending on your deployment version
If immediate patching is not possible, consider disabling h2c protocol support temporarily until the upgrade can be completed
Audit access logs to determine if the vulnerability may have been exploited prior to patching
Review any Oracle products in your environment that embed vulnerable Tomcat versions and apply appropriate Oracle security patches

Patch Information

Apache has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:

Apache Tomcat 10.x: Upgrade to version 10.0.2 or later
Apache Tomcat 9.x: Upgrade to version 9.0.43 or later
Apache Tomcat 8.5.x: Upgrade to version 8.5.63 or later

For downstream products, refer to the vendor security advisories:

Workarounds

Disable HTTP/2 cleartext (h2c) protocol support if not required by your application, by removing or commenting out the HTTP/2 Upgrade protocol in server.xml
Use HTTPS with HTTP/2 over TLS (h2) instead of h2c, which provides encryption and may mitigate some data exposure risks
Implement a reverse proxy in front of Tomcat that handles HTTP/2 connections and forwards HTTP/1.1 to the backend
Apply network segmentation to limit exposure of vulnerable Tomcat instances to trusted networks only

bash

# Disable h2c protocol in Apache Tomcat server.xml
# Locate the Connector element and remove or comment out UpgradeProtocol for HTTP/2
# Before (vulnerable configuration):
# <Connector port="8080" protocol="HTTP/1.1">
#     <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
# </Connector>

# After (mitigated configuration):
# Remove the UpgradeProtocol line entirely for h2c connections
# <Connector port="8080" protocol="HTTP/1.1">
# </Connector>

# Alternatively, ensure HTTP/2 is only used over TLS (port 8443)
# Restart Tomcat after configuration changes
systemctl restart tomcat

CVE-2021-25122 Overview

Critical Impact
Sensitive request headers and body data from one user may be inadvertently exposed to another user during h2c connection handling, leading to potential data leakage and privacy violations.

Affected Products

Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61
Debian Linux 9.0 and 10.0
Oracle Agile PLM 9.3.3 and 9.3.6
Oracle Communications Cloud Native Core Policy 1.14.0
Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.6.0
Oracle Communications Instant Messaging Server 10.0.1.5.0
Oracle Database 12.2.0.1, 19c, and 21c (Enterprise)
Oracle Graph Server and Client (through 21.3.0)
Oracle Instantis EnterpriseTrack 17.1, 17.2, and 17.3
Oracle Managed File Transfer 12.2.1.3.0 and 12.2.1.4.0
Oracle MySQL Enterprise Monitor
Oracle Siebel UI Framework

Discovery Timeline

2021-03-01 - CVE-2021-25122 published to NVD
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-25122

Vulnerability Analysis

Root Cause

Attack Vector

The attack scenario involves:

An attacker establishes multiple h2c connection upgrade requests to a vulnerable Tomcat server
Legitimate users make requests to the same server containing sensitive data
Due to the buffer isolation flaw, portions of the legitimate user's request headers or body may be duplicated into the attacker's response
The attacker can harvest exposed authentication tokens, session identifiers, or other sensitive information

Detection Methods for CVE-2021-25122

Indicators of Compromise

Unexpected or unexplained data appearing in HTTP/2 responses that does not correlate with the originating request
User reports of seeing other users' data or authentication information in their responses
Anomalous h2c connection upgrade patterns in access logs, particularly rapid successive upgrade requests
Presence of authentication tokens or session data in logs or responses for unrelated user sessions

Detection Strategies

Monitor Apache Tomcat access logs for unusual h2c connection upgrade request patterns, especially high-frequency upgrades from single sources
Implement application-level logging to track request/response data correlation and flag any mismatches
Deploy network intrusion detection systems (IDS) with signatures for h2c protocol abuse patterns
Use SentinelOne's Singularity XDR platform to correlate endpoint and network telemetry for detecting information leakage indicators

Monitoring Recommendations

Enable detailed access logging on Apache Tomcat servers to capture h2c connection upgrade events
Configure alerts for unexpected data patterns in HTTP responses, particularly headers that should be unique per session
Review web application firewall (WAF) logs for anomalous HTTP/2 traffic patterns
Implement request tracing with correlation IDs to detect cross-contamination of request data

How to Mitigate CVE-2021-25122

Immediate Actions Required

Upgrade Apache Tomcat immediately to version 10.0.2+, 9.0.43+, or 8.5.63+ depending on your deployment version
If immediate patching is not possible, consider disabling h2c protocol support temporarily until the upgrade can be completed
Audit access logs to determine if the vulnerability may have been exploited prior to patching
Review any Oracle products in your environment that embed vulnerable Tomcat versions and apply appropriate Oracle security patches

Patch Information

Apache has released security patches addressing this vulnerability. Organizations should upgrade to the following minimum versions:

Apache Tomcat 10.x: Upgrade to version 10.0.2 or later
Apache Tomcat 9.x: Upgrade to version 9.0.43 or later
Apache Tomcat 8.5.x: Upgrade to version 8.5.63 or later

For downstream products, refer to the vendor security advisories:

Workarounds

Disable HTTP/2 cleartext (h2c) protocol support if not required by your application, by removing or commenting out the HTTP/2 Upgrade protocol in server.xml
Use HTTPS with HTTP/2 over TLS (h2) instead of h2c, which provides encryption and may mitigate some data exposure risks
Implement a reverse proxy in front of Tomcat that handles HTTP/2 connections and forwards HTTP/1.1 to the backend
Apply network segmentation to limit exposure of vulnerable Tomcat instances to trusted networks only

bash

# Disable h2c protocol in Apache Tomcat server.xml
# Locate the Connector element and remove or comment out UpgradeProtocol for HTTP/2
# Before (vulnerable configuration):
# <Connector port="8080" protocol="HTTP/1.1">
#     <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
# </Connector>

# After (mitigated configuration):
# Remove the UpgradeProtocol line entirely for h2c connections
# <Connector port="8080" protocol="HTTP/1.1">
# </Connector>

# Alternatively, ensure HTTP/2 is only used over TLS (port 8443)
# Restart Tomcat after configuration changes
systemctl restart tomcat

CVE-2021-25122: Apache Tomcat Information Disclosure Flaw

CVE-2021-25122 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-25122

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-25122

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-25122

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-25122: Apache Tomcat Information Disclosure Flaw

CVE-2021-25122 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-25122

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-25122

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-25122

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform