IMPACT:
A small number of US customers who utilize Zuoras REST API endpoints may be experiencing the following error when attempting to process POST requests:
Reason{code='50000000', message='Could not read JSON}
SUMMARY:
Due to a change rolled out by our CDN service provider between Monday, August 12 and continuing through Friday, August 16, some customers may be experiencing failures in posting requests to our REST API endpoints. The change was implemented by the CDN to address security vulnerabilities exposed when clients send both a content-Length and transfer-encoding:chunked header. To address this issue, the CDN now drops the content of the body of the POST request when both are included.
SOLUTION:
The change necessary to address this problem is to only send the content-length header and not utilize the transfer-encoding header.
While we dont have specific guidance for all possible clients used for API integration, an example of how to make a change for MuleSoft clients is here:
https://help.mulesoft.com/s/question/0D52T00004mXV2JSAW/how-to-remove-http-header-transferencoding-on-outbound-requests
For additional information and a deep dive into the issue, including methods to test and exploit the issue, please see this blog posting:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
#Announcement