NVD脆弱性詳細

CVE-2023-45648

概要	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
公表日	2023年10月11日4:15
登録日	2023年10月11日10:00
最終更新日	2024年11月21日17:27

CVSS3.1 : MEDIUM
スコア	5.3
ベクター	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat::::::::	10.1.1			10.1.14
cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
cpe:2.3:a:apache:tomcat::::::::	8.5.0			8.5.94
cpe:2.3:a:apache:tomcat::::::::	9.0.1			9.0.81
cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::

構成2	以上	以下	より上	未満
cpe:2.3:o:debian:debian_linux:10.0:::::::*
cpe:2.3:o:debian:debian_linux:11.0:::::::*
cpe:2.3:o:debian:debian_linux:12.0:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://www.openwall.com/lists/oss-security/2023/10/10/10	Mailing List Third Party Advisory
2	http://www.openwall.com/lists/oss-security/2023/10/10/10	Mailing List Third Party Advisory
3	https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp	Vendor Advisory
4	https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp	Vendor Advisory
5	https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Mailing List Third Party Advisory
6	https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Mailing List Third Party Advisory
7	https://security.netapp.com/advisory/ntap-20231103-0007/
8	https://security.netapp.com/advisory/ntap-20231103-0007/
9	https://www.debian.org/security/2023/dsa-5521	Third Party Advisory
10	https://www.debian.org/security/2023/dsa-5521	Third Party Advisory
11	https://www.debian.org/security/2023/dsa-5522	Third Party Advisory
12	https://www.debian.org/security/2023/dsa-5522	Third Party Advisory

共通脆弱性一覧

JVN脆弱性情報

Apache Software Foundation の Apache Tomcat 等複数ベンダの製品における入力確認に関する脆弱性

タイトル	Apache Software Foundation の Apache Tomcat 等複数ベンダの製品における入力確認に関する脆弱性
概要	Apache Software Foundation の Apache Tomcat 等複数ベンダの製品には、HTTP trailer ヘッダを正しく解析しないため、入力確認に関する脆弱性が存在します。
想定される影響	巧妙に細工された無効な trailer ヘッダを介して、単一のリクエストを複数のリクエストとして扱われ、リバースプロキシの背後でリクエストスマグリングされる可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2023年10月10日0:00
登録日	2023年12月27日12:15
最終更新日	2024年7月3日16:59

影響を受けるシステム

Apache Software Foundation

Apache Tomcat 10.1.1 以上 10.1.14 未満

Apache Tomcat 8.5.0 以上 8.5.94 未満

Apache Tomcat 9.0.0

Apache Tomcat 9.0.1 以上 9.0.81 未満

日立

Cosminexus Component Container

Hitachi Ops Center Administrator

Hitachi Ops Center Common Services

uCosminexus Application Server

uCosminexus Application Server(64)

uCosminexus Application Server-R

uCosminexus Developer

uCosminexus Primary Server Base

uCosminexus Primary Server Base(64)

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform(64)

Debian

Debian GNU/Linux 10.0

Debian GNU/Linux 11.0

Debian GNU/Linux 12.0

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-45648	https://www.cve.org/CVERecord?id=CVE-2023-45648
National Vulnerability Database (NVD)
2	CVE-2023-45648	https://nvd.nist.gov/vuln/detail/CVE-2023-45648

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	名前	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2024-107	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-107/index.html
2	hitachi-sec-2024-115	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-115/index.html
3	hitachi-sec-2024-134	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-134/index.html
Pony Mail
4	[SECURITY] CVE-2023-45648 Apache Tomcat - Request Smuggling	https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp
ソフトウェア製品セキュリティ情報
5	hitachi-sec-2024-107	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2024-107/index.html
6	hitachi-sec-2024-115	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2024-115/index.html
7	hitachi-sec-2024-134	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2024-134/index.html

その他

No	名前	URL
JVN
1	JVNVU#93620838	https://jvn.jp/vu/JVNVU93620838/
関連文書
2	security.netapp.com (ntap-20231103-0007)	https://security.netapp.com/advisory/ntap-20231103-0007/
3	www.openwall.com (oss-security/2023/10/10/10)	http://www.openwall.com/lists/oss-security/2023/10/10/10

変更履歴

No	変更内容	変更日
3	[2024年03月13日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2024-115) を追加	2024年3月13日11:49
1	[2023年12月27日] 掲載	2023年12月27日11:00
2	[2024年01月31日] ベンダ情報：日立 (hitachi-sec-2024-107) を追加影響を受けるシステム：ベンダ情報の追加に伴い内容を更新	2024年1月31日13:53
4	[2024年07月03日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2024-134) を追加	2024年7月3日16:30

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone27::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
cpe:2.3:a:apache:tomcat::::::::	10.1.1			10.1.14
cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
cpe:2.3:a:apache:tomcat::::::::	8.5.0			8.5.94
cpe:2.3:a:apache:tomcat::::::::	9.0.1			9.0.81
cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::