CVE-2023-34981 Overview
CVE-2023-34981 is an information disclosure vulnerability affecting Apache Tomcat caused by a regression in the fix for bug 66512. When a response does not include any HTTP headers, no AJP SEND_HEADERS message is sent, which causes at least one AJP proxy (mod_proxy_ajp) to use the response headers from the previous request. This leads to an information leak where sensitive header data from one user's request could be exposed to another user.
Critical Impact
This vulnerability can expose sensitive response headers from previous requests to unauthorized users, potentially leaking authentication tokens, session identifiers, or other confidential information through AJP proxy configurations.
Affected Products
- Apache Tomcat 11.0.0-M5
- Apache Tomcat 10.1.8
- Apache Tomcat 9.0.74
- Apache Tomcat 8.5.88
Discovery Timeline
- 2023-06-21 - CVE-2023-34981 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-34981
Vulnerability Analysis
The vulnerability stems from a regression introduced while fixing bug 66512 in Apache Tomcat. The AJP (Apache JServ Protocol) is a binary protocol used for communication between web servers and application servers. When properly functioning, Tomcat sends an AJP SEND_HEADERS message as part of every response to inform the proxy about the response headers.
The regression causes Tomcat to skip sending the SEND_HEADERS message when a response contains no HTTP headers. This creates a protocol violation where the AJP proxy (mod_proxy_ajp) has no header information for the current response. As a result, the proxy falls back to using cached headers from the previous request, causing header information leakage between different user sessions.
This vulnerability is classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), as the improper protocol handling results in unauthorized access to response header information.
Root Cause
The root cause is a conditional logic error introduced in the fix for bug 66512. The code path that generates and sends AJP SEND_HEADERS messages incorrectly skips execution when the response header collection is empty. This violates the AJP protocol specification, which requires a SEND_HEADERS message for every response regardless of whether headers are present.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:
- Setting up or having access to a deployment where Apache Tomcat communicates with an Apache HTTP Server using mod_proxy_ajp
- Sending requests designed to trigger responses with no headers
- Monitoring subsequent requests to capture response headers from other users' sessions
The vulnerability is particularly dangerous in multi-tenant environments or high-traffic applications where the probability of capturing sensitive headers from other users increases significantly.
The exploitation relies on the timing and ordering of requests through the AJP proxy. When a response without headers is processed, the next user's request through the same proxy connection may receive response headers intended for a different user.
Detection Methods for CVE-2023-34981
Indicators of Compromise
- Unexpected response headers appearing in HTTP responses that don't match the expected application behavior
- User sessions receiving authentication or authorization headers from other users' requests
- Inconsistent Set-Cookie, Authorization, or custom application headers in responses
- Log entries showing header mismatches between Tomcat and the AJP proxy
Detection Strategies
- Monitor AJP traffic between Apache HTTP Server and Tomcat for missing SEND_HEADERS messages
- Implement application-level logging to track response header consistency
- Review access logs for anomalies where users appear to receive responses intended for other sessions
- Deploy network monitoring tools to analyze AJP protocol compliance
Monitoring Recommendations
- Enable detailed AJP protocol logging on both the proxy and Tomcat servers
- Set up alerts for session-related header inconsistencies
- Monitor for authentication bypass attempts that could result from header leakage
- Regularly audit Tomcat version deployments across the infrastructure
How to Mitigate CVE-2023-34981
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version immediately: 8.5.89+, 9.0.75+, 10.1.9+, or 11.0.0-M6+
- If immediate upgrade is not possible, consider temporarily disabling AJP connector or switching to HTTP-based proxying
- Review application code to ensure responses always include at least one HTTP header
- Audit logs for any evidence of information leakage that may have occurred
Patch Information
Apache has released patched versions addressing this regression. Users should upgrade to the following versions or later:
- Apache Tomcat 8.5.89 or later
- Apache Tomcat 9.0.75 or later
- Apache Tomcat 10.1.9 or later
- Apache Tomcat 11.0.0-M6 or later
For detailed information, refer to the Apache Mailing List Thread and the NetApp Security Advisory NTAP-20230714-0003.
Workarounds
- Disable the AJP connector if not required by commenting out or removing the AJP connector configuration in server.xml
- Switch to HTTP/HTTPS-based proxying using mod_proxy_http instead of mod_proxy_ajp
- Implement a reverse proxy rule to inject a minimal header into all responses before they reach the AJP proxy
- Restrict AJP connector access to localhost only using the address attribute
# Configuration example - Disable AJP connector in server.xml
# Comment out or remove the following line:
# <Connector protocol="AJP/1.3" port="8009" redirectPort="8443" />
# Alternative: Restrict AJP to localhost only
# <Connector protocol="AJP/1.3" port="8009" address="127.0.0.1" secretRequired="true" secret="your-secret-here" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
