CVE-2021-33037: Incorrect Transfer-Encoding handling with HTTP/1.0
First published: Mon Jul 12 2021(Updated: )
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el7 | 0:9.0.50-3.redhat_00004.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el7 | 0:1.2.30-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el7 | 0:1.1.8-4.Final_redhat_00004.1.el7 |
| redhat/jws5-tomcat | <0:9.0.50-3.redhat_00004.1.el8 | 0:9.0.50-3.redhat_00004.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.30-3.redhat_3.el8 | 0:1.2.30-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-4.Final_redhat_00004.1.el8 | 0:1.1.8-4.Final_redhat_00004.1.el8 |
| redhat/tomcat | <10.0.7 | 10.0.7 |
| redhat/tomcat | <9.0.48 | 9.0.48 |
| redhat/tomcat | <8.5.68 | 8.5.68 |
| maven/org.apache.tomcat:tomcat | >=8.5.0<8.5.68 | 8.5.68 |
| maven/org.apache.tomcat:tomcat | >=9.0.0-M1<9.0.48 | 9.0.48 |
| maven/org.apache.tomcat:tomcat | >=10.0.0-M1<10.0.7 | 10.0.7 |
| Apache Tomcat | >=8.5.0<=8.5.66 | |
| Apache Tomcat | >9.0.0<=9.0.46 | |
| Apache Tomcat | >10.0.0<=10.0.6 | |
| Apache TomEE | =8.0.6 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
| Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
| Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
| Oracle Communications Policy Management | =12.5.0 | |
| Oracle Communications Pricing Design Center | =12.0.0.3.0 | |
| Oracle Communications Session Report Manager | >=8.0.0<=8.2.4.0 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.4 | |
| Oracle Graph Server And Client | <21.4 | |
| Oracle Healthcare Translational Research | =4.1.0 | |
| Oracle Hospitality Cruise Shipboard Property Management System | =20.1.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| Oracle Mysql Enterprise Monitor | <=8.0.25 | |
| Oracle SD-WAN Edge | =9.0 | |
| Oracle SD-WAN Edge | =9.1 | |
| Oracle Secure Global Desktop | =5.6 | |
| Oracle Utilities Testing Accelerator | =6.0.0.1.1 | |
| Oracle Utilities Testing Accelerator | =6.0.0.2.2 | |
| Oracle Utilities Testing Accelerator | =6.0.0.3.1 | |
| McAfee ePolicy Orchestrator | <5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_10 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_9 | |
| IBM DRM | <=2.0.6 | |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2021-33037
- https://github.com/apache/tomcat/commit/45d70a86a901cbd534f8f570bed2aec9f7f7b88e
- https://github.com/apache/tomcat/commit/05f9e8b00f5d9251fcd3c95dcfd6cf84177f46c8
- https://github.com/apache/tomcat/commit/a2c3dc4c96168743ac0bab613709a5bbdaec41d0
- https://security-tracker.debian.org/tracker/CVE-2021-30640
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65224
- https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb
- https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434
- https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e
- https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56
- https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862
- https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43
- https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0
- https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945
- https://security-tracker.debian.org/tracker/CVE-2021-30639
- https://bz.apache.org/bugzilla/show_bug.cgi?id=65203
- https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046
- https://www.cve.org/CVERecord?id=CVE-2021-33037 https://nvd.nist.gov/vuln/detail/CVE-2021-33037
- https://bugzilla.redhat.com/show_bug.cgi?id=1981533
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2021:4863
- https://access.redhat.com/errata/RHSA-2021:4861
- https://access.redhat.com/errata/RHSA-2022:1179
- https://access.redhat.com/security/cve/cve-2021-33037
- https://lists.apache.org/thread.html/r612a79269b0d5e5780c62dfd34286a8037232fec0bc6f1a7e60c9381%40%3Cannounce.tomcat.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262@%3Ccommits.tomee.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html
- https://www.debian.org/security/2021/dsa-4952
- https://security.netapp.com/advisory/ntap-20210827-0007/
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37@%3Ccommits.tomee.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://security.gentoo.org/glsa/202208-34
- https://launchpad.net/bugs/cve/CVE-2021-33037
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1981534
- https://nvd.nist.gov/vuln/detail/CVE-2021-33037
- https://kc.mcafee.com/corporate/index?page=content&id=SB10366
- https://lists.apache.org/thread/kovg1bft77xo34ksrcskh5nl50p69962
- https://github.com/apache/tomcat/commit/19d11556d0db99df291df33605f137976d152475
- https://github.com/apache/tomcat/commit/3202703e6d635e39b74262e81f0cb4bcbe2170dc
- https://github.com/apache/tomcat/commit/506134f957a4be2c5b4a9334f7b3435fc954dbc1
- https://github.com/apache/tomcat/commit/8874fa02e9b36baa9ca6b226c0882c0190ca5a02
- https://github.com/apache/tomcat/commit/da0e7cb093cf68b052d9175e469dbd0464441b0b
- https://github.com/apache/tomcat/commit/eee0d024c1b3171560c92eaba79dd6eb8eb11bcd
- https://security.netapp.com/advisory/ntap-20210827-0007
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://github.com/advisories/GHSA-4vww-mc66-62m6 (Advisory)
- https://lists.apache.org/thread.html/r290aee55b72811fd19e75ac80f6143716c079170c5671b96932ed44b%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r40f921575aee8d7d34e53182f862c45cbb8f3d898c9d4e865c2ec262%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc6ef52453bb996a98cb45442871a1db56b7c349939e45d829bf9ae37%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rd0dfea39829bc0606c936a16f6fca338127c86c0a1083970b45ac8d2%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/re01e7e93154e8bdf78a11a23f9686427bd3d51fc6e12c508645567b7%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf1b54fd3f52f998ca4829159a88cc4c23d6cef5c6447d00948e75c97%40%3Ccommits.tomee.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/205222
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
- https://ubuntu.com/security/CVE-2021-33037
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-33037?
The severity of CVE-2021-33037 is medium with a CVSS score of 4.3.
How does CVE-2021-33037 affect Apache Tomcat?
CVE-2021-33037 affects Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66.
What is the remedy for CVE-2021-33037?
The remedy for CVE-2021-33037 is to upgrade Apache Tomcat to version 10.0.7, 9.0.48, or 8.5.68.
Where can I find more information about CVE-2021-33037?
You can find more information about CVE-2021-33037 at the following references: [CVE-2021-33037 at CVE.org](https://www.cve.org/CVERecord?id=CVE-2021-33037) and [CVE-2021-33037 at NIST](https://nvd.nist.gov/vuln/detail/CVE-2021-33037).
What is the CWE for CVE-2021-33037?
The CWE for CVE-2021-33037 is CWE-444.
- collector/debian-bugs
- alias/CVE-2021-33037
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4vww-mc66-62m6
- collector/github-advisory
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/security-tracker-debian
- source/Debian
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.66
- version/apache tomcat/9.0.46
- version/apache tomcat/10.0.6
- canonical/apache tomee
- version/apache tomee/8.0.6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/oracle
- canonical/oracle agile plm
- version/oracle agile plm/9.3.6
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core service communication proxy
- version/oracle communications cloud native core service communication proxy/1.14.0
- canonical/oracle communications diameter signaling router
- version/oracle communications diameter signaling router/8.0.0.0
- version/oracle communications diameter signaling router/8.5.0.2
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.5.0
- canonical/oracle communications policy management
- version/oracle communications policy management/12.5.0
- canonical/oracle communications pricing design center
- version/oracle communications pricing design center/12.0.0.3.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4
- canonical/oracle graph server and client
- canonical/oracle healthcare translational research
- version/oracle healthcare translational research/4.1.0
- canonical/oracle hospitality cruise shipboard property management system
- version/oracle hospitality cruise shipboard property management system/20.1.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/8.0.25
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/9.0
- version/oracle sd-wan edge/9.1
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.6
- canonical/oracle utilities testing accelerator
- version/oracle utilities testing accelerator/6.0.0.1.1
- version/oracle utilities testing accelerator/6.0.0.2.2
- version/oracle utilities testing accelerator/6.0.0.3.1
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_10
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- version/mcafee epolicy orchestrator/5.10.0-update_7
- version/mcafee epolicy orchestrator/5.10.0-update_8
- version/mcafee epolicy orchestrator/5.10.0-update_9
- package-manager/debian
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6