Bug 1344321 (CVE-2016-4993)

Summary: CVE-2016-4993 eap: HTTP header injection / response splitting
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asantos, asoldano, bbaranow, bdawidow, bmaxwell, brian.stansberry, carnil, ccoleman, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dmcphers, dosoudil, iweiss, jason.greene, jawilson, jclere, jdoyle, jialiu, jkeilson, joelsmith, jokerman, jpallich, jperkins, jshepherd, jstefl, krathod, kwills, lgao, lmeyer, mbabacek, mmccomas, msochure, msvehla, mweiler, myarboro, nwallace, pmackay, pslavice, psotirop, rguimara, rnetuka, rsvoboda, sdouglas, security-response-team, smaestri, theute, tom.jenkinson, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was reported that EAP 7 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:53:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1349290, 1349292, 1349293, 1349294, 1349295    
Bug Blocks: 1344323, 1520314    

Description Adam Mariš 2016-06-09 12:13:48 UTC 
It was reported that WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value.

Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user.
Comment 1 Adam Mariš 2016-06-09 12:13:53 UTC 
Acknowledgments:

Name: Calum Hutton (NCC Group), Mikhail Egorov (Odin)
Comment 21 errata-xmlrpc 2016-09-08 18:19:33 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:1841 https://rhn.redhat.com/errata/RHSA-2016-1841.html
Comment 22 errata-xmlrpc 2016-09-08 18:20:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1840 https://rhn.redhat.com/errata/RHSA-2016-1840.html
Comment 23 errata-xmlrpc 2016-09-08 18:21:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1838 https://rhn.redhat.com/errata/RHSA-2016-1838.html
Comment 24 errata-xmlrpc 2016-09-08 18:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:1839 https://rhn.redhat.com/errata/RHSA-2016-1839.html
Comment 25 jkeilson 2016-10-14 17:46:42 UTC 
What versions of undertow are affected? Can you link to the upstream bug report?
Comment 26 Bharti Kundal 2016-10-14 18:25:24 UTC 
@jkeilson :Wildfly 10.0.0  is vulnerable.
Comment 27 jkeilson 2016-10-14 18:32:14 UTC 
(In reply to Bharti Kundal from comment #26)
> @jkeilson :Wildfly 10.0.0  is vulnerable.

So older versions of wildfly are not affected?
Comment 30 errata-xmlrpc 2017-12-13 17:31:30 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
Comment 31 errata-xmlrpc 2017-12-13 18:19:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
Comment 32 errata-xmlrpc 2017-12-13 18:40:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
Comment 33 errata-xmlrpc 2017-12-13 18:45:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
Comment 38 Salvatore Bonaccorso 2018-05-26 12:35:41 UTC 
Hi

Since this issue refers to an issue in undertow server, can you point to the respective undertow issue and/or upstream fix? 

Thanks in advance,

Regards,
Salvatore
Comment 39 Bharti Kundal 2018-05-28 00:33:21 UTC 
(In reply to Salvatore Bonaccorso from comment #38)
> Hi
> 
> Since this issue refers to an issue in undertow server, can you point to the
> respective undertow issue and/or upstream fix? 
> 
> Thanks in advance,
> 
> Regards,
> Salvatore

Hi Salvatore,

Here is the upstream JIRA issue https://issues.jboss.org/browse/UNDERTOW-827.

Hope this helps.

Regards,
Bharti