Think you have a false positive on this rule?

Sid 1-31213

Message

INDICATOR-COMPROMISE http POST request smuggling attempt

Summary

This event is generated when an http POST request smuggling attempt is detected.

Impact

Misc Attack

CVE-2014-0099:

CVSS base score 4.3

CVSS impact score 2.9

CVSS exploitability score 8.6

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

Detailed information

CVE-2014-0099: Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.

Affected systems

  • apache tomcat 6
  • apache tomcat 6.0
  • apache tomcat 6.0.0
  • apache tomcat 6.0.1
  • apache tomcat 6.0.2
  • apache tomcat 6.0.3
  • apache tomcat 6.0.4
  • apache tomcat 6.0.5
  • apache tomcat 6.0.6
  • apache tomcat 6.0.7
  • apache tomcat 6.0.8
  • apache tomcat 6.0.9
  • apache tomcat 6.0.10
  • apache tomcat 6.0.11
  • apache tomcat 6.0.12
  • apache tomcat 6.0.13
  • apache tomcat 6.0.14
  • apache tomcat 6.0.15
  • apache tomcat 6.0.16
  • apache tomcat 6.0.17
  • apache tomcat 6.0.18
  • apache tomcat 6.0.19
  • apache tomcat 6.0.20
  • apache tomcat 6.0.24
  • apache tomcat 6.0.26
  • apache tomcat 6.0.27
  • apache tomcat 6.0.28
  • apache tomcat 6.0.29
  • apache tomcat 6.0.30
  • apache tomcat 6.0.31
  • apache tomcat 6.0.32
  • apache tomcat 6.0.33
  • apache tomcat 6.0.35
  • apache tomcat 6.0.36
  • apache tomcat 6.0.37
  • apache tomcat 6.0.39
  • apache tomcat 7.0.0
  • apache tomcat 7.0.1
  • apache tomcat 7.0.2
  • apache tomcat 7.0.3
  • apache tomcat 7.0.4
  • apache tomcat 7.0.5
  • apache tomcat 7.0.6
  • apache tomcat 7.0.7
  • apache tomcat 7.0.8
  • apache tomcat 7.0.9
  • apache tomcat 7.0.10
  • apache tomcat 7.0.11
  • apache tomcat 7.0.12
  • apache tomcat 7.0.13
  • apache tomcat 7.0.14
  • apache tomcat 7.0.15
  • apache tomcat 7.0.16
  • apache tomcat 7.0.17
  • apache tomcat 7.0.18
  • apache tomcat 7.0.19
  • apache tomcat 7.0.20
  • apache tomcat 7.0.21
  • apache tomcat 7.0.22
  • apache tomcat 7.0.23
  • apache tomcat 7.0.24
  • apache tomcat 7.0.25
  • apache tomcat 7.0.26
  • apache tomcat 7.0.27
  • apache tomcat 7.0.28
  • apache tomcat 7.0.29
  • apache tomcat 7.0.30
  • apache tomcat 7.0.31
  • apache tomcat 7.0.32
  • apache tomcat 7.0.33
  • apache tomcat 7.0.34
  • apache tomcat 7.0.35
  • apache tomcat 7.0.36
  • apache tomcat 7.0.37
  • apache tomcat 7.0.38
  • apache tomcat 7.0.39
  • apache tomcat 7.0.40
  • apache tomcat 7.0.41
  • apache tomcat 7.0.42
  • apache tomcat 7.0.43
  • apache tomcat 7.0.44
  • apache tomcat 7.0.45
  • apache tomcat 7.0.46
  • apache tomcat 7.0.47
  • apache tomcat 7.0.48
  • apache tomcat 7.0.49
  • apache tomcat 7.0.50
  • apache tomcat 7.0.52
  • apache tomcat 8.0.0
  • apache tomcat 8.0.1
  • apache tomcat 8.0.3

Ease of attack

CVE-2014-0099:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

None Known

False negatives

None Known

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References