kb: expand authorized lab coverage and intel automation
这个提交包含在:
hao
@@ -0,0 +1,57 @@
|
||||
---
|
||||
title: "Apache Tomcat request smuggling mapping"
|
||||
published_date: "2023-11-28"
|
||||
affected_versions:
|
||||
- "10.1.0-M1 to 10.1.15"
|
||||
fixed_versions:
|
||||
- "10.1.16"
|
||||
severity: "important"
|
||||
exploit_status: "See official advisory"
|
||||
stack:
|
||||
- "Apache Tomcat"
|
||||
- "reverse proxy"
|
||||
attack_type:
|
||||
- "request smuggling"
|
||||
primary_source: "https://tomcat.apache.org/security-10.html"
|
||||
secondary_sources: []
|
||||
target_types:
|
||||
- "lab-local"
|
||||
- "lab-public"
|
||||
- "authorized-third-party"
|
||||
public_target_allowed: true
|
||||
authorization_required: true
|
||||
minimum_validation: "Use a lab proxy + Tomcat chain with partial PUT support and compare parser behavior."
|
||||
prohibited_use: "Do not attempt smuggling payloads against unowned public services."
|
||||
---
|
||||
|
||||
# Apache Tomcat CVE-2023-46589 映射
|
||||
|
||||
## 事件层
|
||||
|
||||
- 官方来源: [Apache Tomcat 10.x Security Reports](https://tomcat.apache.org/security-10.html)
|
||||
- 发布时间: 2023-11-28
|
||||
- 影响范围: 10.1.0-M1 至 10.1.15
|
||||
- 修复版本: 10.1.16
|
||||
|
||||
官方说明指出,在 Tomcat 位于反向代理之后且支持 partial PUT 时,可能出现请求走私问题。这个案例的价值在于提醒边界层与应用层解析不一致时,前置防护很容易失效。
|
||||
|
||||
## 实验层
|
||||
|
||||
### 实验思路
|
||||
|
||||
1. 在隔离环境中搭建“反向代理 -> Tomcat”链路。
|
||||
2. 开启与公告条件匹配的请求处理能力。
|
||||
3. 对比代理和 Tomcat 对同一请求边界的解析差异。
|
||||
4. 升级至修复版本后再次验证。
|
||||
|
||||
### 推荐的最小化验证
|
||||
|
||||
- 仅在隔离链路中复现,不对无授权公网服务发送走私 payload。
|
||||
- 重点记录代理日志、Tomcat access log 与应用日志的差异。
|
||||
- 将复现目标限定为“确认解析不一致存在”,而不是扩展到真实业务利用。
|
||||
|
||||
### 观测点
|
||||
|
||||
- 代理与 Tomcat 的请求边界是否一致
|
||||
- partial PUT 与代理层转发组合是否触发异常行为
|
||||
- 修复版本是否消除解析差异
|
||||
在新工单中引用
屏蔽一个用户