AnsweredAssumed Answered

Qualys Scan "Apache Tomcat Multiple Content Length Headers Information Disclosure" Issue

Question asked by Ambikeshwar Singh on Nov 21, 2014



Qualys scan for our application detects an "Apache Tomcat Multiple Content Length Headers Information Disclosure" vulnerability.


Qualys scan sends following request to our Load Balancer,

POST /index.jsp HTTP/1.0 Content-Length: 0 Content-Length: 0 HTTP/1.1


Stingray Load Balancer in front of our application does not rejects this HTTP request ( multiple Content-Length headers having same values), instead it merges them both and forwards it to backend tomcat nodes.


Based on our findings our LB’s behaviour is consistent as per HTTP 1.1 RFC 7230:


“If a message is received that has multiple Content-Length header fields with field-values consisting of the same decimal value, or a single Content-Length header field with a field value containing a list of identical decimal values (e.g., "Content-Length: 42, 42"), indicating that duplicate Content-Length header fields have been generated or combined by an upstream message processor, then the recipient MUST either reject the message as invalid or replace the duplicated field-values with a single valid Content-Length field containing that decimal value prior to determining the message body length or forwarding the message.”


You can find more details on this in the following discussion


Please update your Scan’s algorithm or suggest an alternative.