This document addresses concerns about ePO and the Tomcat vulnerability. This report reflects questions about
CVE-2021-33037, referenced in the Tomcat Security Advisory.
On
June 15, 2021, the Apache Tomcat foundation issued the following security advisory for
CVE-2021-33037:
CVE description:
Apache Tomcat didn’t correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling
when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an
HTTP/1.0 response. Tomcat honored the identify encoding, but Tomcat didn’t ensure that, if present, the chunked encoding was the final encoding.
As the CVE description indicates, this CVE only applies to a Tomcat implementation when used with a reverse proxy. If a reverse proxy isn’t used in your ePO implementation, this CVE doesn’t apply.
We’re currently investigating if CVE-2021-33037 applies to ePO's Tomcat implementation in an environment that does use a reverse proxy. This article will be updated when that investigation is complete.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.