This document addresses concerns about ePO and the Tomcat vulnerability. This report reflects questions about CVE-2021-33037, referenced in the Tomcat Security Advisory.

On June 15, 2021, the Apache Tomcat foundation issued the following security advisory for CVE-2021-33037:

CVE description:
Apache Tomcat didn’t correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy. Specifically: Tomcat incorrectly ignored the transfer-encoding header if the client declared it would only accept an HTTP/1.0 response. Tomcat honored the identify encoding, but Tomcat didn’t ensure that, if present, the chunked encoding was the final encoding.

As the CVE description indicates, this CVE only applies to a Tomcat implementation when used with a reverse proxy. If a reverse proxy isn’t used in your ePO implementation, this CVE doesn’t apply.

We’re currently investigating if CVE-2021-33037 applies to ePO's Tomcat implementation in an environment that does use a reverse proxy. This article will be updated when that investigation is complete.