Happy Business Starts Here

Zuora Staff

IMPACT:

A small number of US customers who utilize Zuora’s REST API endpoints may be experiencing the following error when attempting to process POST requests:

 

Reason{code='50000000', message='Could not read JSON’}

 

SUMMARY:

Due to a change rolled out by our CDN service provider between Monday, August 12 and continuing through Friday, August 16, some customers may be experiencing failures in posting requests to our REST API endpoints. The change was implemented by the CDN to address security vulnerabilities exposed when clients send both a “content-Length” and “transfer-encoding:chunked” header. To address this issue, the CDN now drops the content of the body of the POST request when both are included.

SOLUTION:

The change necessary to address this problem is to only send the “content-length” header and not utilize the “transfer-encoding” header. 

 

While we don’t have specific guidance for all possible clients used for API integration, an example of how to make a change for MuleSoft clients is here:

https://help.mulesoft.com/s/question/0D52T00004mXV2JSAW/how-to-remove-http-header-transferencoding-o...

 

For additional information and a deep dive into the issue, including methods to test and exploit the issue, please see this blog posting:

https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn