Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

CVE-2021-33037: What bad can be done with HTTP request smuggling

Edited

Hi,

im struggeling to understand how exactly this could be exploited.

Our instances in question have some CORS rules as the only security measures on the (HTTPS) reverse proxy level.

What risks come with this vulnerability, could an attacker hijack a user session?

What else could an attacker do?

Cheers

Jens

2 answers

1 accepted

1 vote
Answer accepted

On another channel i received this from Tobias Theobald from re:Solution

 

Disclaimer: this is based on my understanding of the issue. I am unfamiliar with this particular issue, but have a good knowledge about security in general.
I understand it could be used to bypass security measures that are enforced by a reverse proxy.
Yes. The issue arises by the backend application (e.g. Jira) and the reverse proxy (e.g. nginx or AWS ELB) interpreting the request differently from one another.
This specific issue seems to be about the Transfer-Encoding header specifically. So by exploiting this vulnerability, an attacker might be able to send a request such that if effectively bypasses the security checks implemented at the reverse proxy level because the reverse proxy thinks it's one request and Tomcat thinks it's two requests.This means that if your reverse proxy has any rules to block a request, it might be tricked to allow it past because it interprets the body differently from what Tomcat (among other things the HTTP framework Jira uses) does.That is basically it if you look purely at this vulnerability. Unless you do anything filtering or transformations at the Reverse Proxy level, you're probably fine.The example 2 on the CWE page you're referring to is assuming that page.asp allows remote code execution (RCE, on purpose or as a vulnerability) and that such an attack would be filtered by a reverse proxy. By bypassing that filter on the reverse proxy, an attacker could chain those exploits together to "get to" the RCE exploit.The request smuggling alone does not allow for RCE, unless your backend application either allows for it and depends on the reverse proxy for access control or has a vulnerability that you're trying to protect against using the reverse proxy.To give a real world example:Let's say you have a service that is vulnerable to the log4j vulnerability revealed last month. You didn't want to patch it for some reason and just configured a filter on the reverse proxy to filter out any requests containing ${jndi for example. This is a bad way of doing things since this can be circumvented in other ways, but let's assume you did that.This request smuggling vulnerability could now be used in such a case to "hide" the exploiting request in a benign one, circumvent this filter because the reverse proxy only sees the benign one and gain RCE by smuggling the request containing the malicious string past the reverse proxy filter and triggering the log4j vulnerability.Another possible example is if your service was offering a restricted area under a certain path and that restriction was enforced by reverse proxy rules. Those could be circumvented.But since Jira has its own authentication, I think we should be fine. Every reverse proxy configuration I can think of for Jira either has no such filters or filter all traffic based on certain rules (e.g. to hide Jira completely behind SSO) (Although take that with a grain of salt since I don't get in touch with customers much)So yeah, all in all, I think this attack will, in my opinion and according to my understanding, generally not be problematic for Atlassian's line of server and data center products unless customers have unusual configurations in their reverse proxies.
0 votes
Daniel Eads Atlassian Team Jan 07, 2022

Hi @Jens Kisters _APTIS_ ,

I would refer you to the upstream vulnerability in Apache Tomcat: CVE-2021-33037 (at nvd.nist.gov) . Atlassian routinely upgrades the bundled Tomcat version to include fixes for such issues. It is possible to upgrade the Tomcat used by Jira manually, however such a modification would go outside the scope of Atlassian Support and we would request that you revert back to the bundled version of Tomcat in some situations when opening technical support cases.

Cheers,
Daniel

Hi Daniel,

thanks for the pointer, do i assume right you were pointing me to this link inside the page you linked?

http://cwe.mitre.org/data/definitions/444.html

 

I understand that "Example 1" would allow an attacker to bypass access restrictions that are implemented in e.g. an nginx reverse proxy.

 

Example 2 sounds like there could be a way to do some remote code execution, but im not sure what the preconditions are for this to work.

Is the precondition that there is an existing RCE vulnerability in the application which was intended to be blocked off by the reverse proxy?

 

I would be glad i anyone could clarify this.

 

thanks in advance

Jens

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Software

👋 Looking for 15-20 volunteers to test Atlassian training content

Hi everyone! Are you interested in beta testing Atlassian University’s newest (unreleased!) training course? We’re looking for 15-20 volunteers to test our newest training course, Basic reporting...

746 views 23 27
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you