Bug 1397484 (CVE-2016-6816)

Summary: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alee, apmukher, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, epp-bugs, fnasser, gzaronik, hhorak, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, krzysztof.daniel, lgao, lmeyer, mbabacek, mbaluch, miburman, mizdebsk, mmccomas, mmiura, mnewsome, mweiler, myarboro, nobody+bgollahe, nwallace, ohudlick, pgier, psakar, pslavice, psotirop, rnetuka, rsvoboda, rzima, sdouglas, spinder, theute, ttarrant, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.48, tomcat 7.0.73, tomcat 8.0.39, tomcat 8.5.8 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:02:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1397493, 1397495, 1397496, 1398253, 1398254, 1399014, 1399016, 1402662, 1402663, 1402664, 1402665    
Bug Blocks: 1397488, 1397645, 1428325, 1482229    

Description Adam Mariš 2016-11-22 15:56:38 UTC
The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Affects: 6.0.0 to 6.0.47, 7.0.0 to 7.0.72, 8.0.0.RC1 to 8.0.38, 8.5.0 to 8.5.6

Upstream patches:

Tomcat 6.0.48: https://svn.apache.org/viewvc?view=rev&rev=1767683
Tomcat 7.0.73: http://svn.apache.org/viewvc?view=rev&rev=1767675
Tomcat 8.0.39: http://svn.apache.org/viewvc?view=rev&rev=1767653
Tomcat 8.5.8: http://svn.apache.org/viewvc?view=rev&rev=1767645

External References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8
https://access.redhat.com/solutions/2891171
https://access.redhat.com/articles/2991951

Comment 2 Adam Mariš 2016-11-22 16:09:57 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1397493]
Affects: epel-6 [bug 1397495]

Comment 10 Coty Sutherland 2017-01-24 20:30:07 UTC
For the record, this fix has been getting some negative responses in the community from users because of the amount of clients that use curly braces ({ and }) and the pipe symbol (|) in their requests without encoding them. Doing so will result in a 400 response after this patch is applied. Additionally, there is no workaround to change the behavior back; see https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 for information on an RFE to add an optional setting.

Comment 11 errata-xmlrpc 2017-02-02 20:24:07 UTC
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform 6

Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html

Comment 12 errata-xmlrpc 2017-02-02 20:44:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html

Comment 13 errata-xmlrpc 2017-02-02 20:46:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html

Comment 14 errata-xmlrpc 2017-02-02 20:47:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html

Comment 15 errata-xmlrpc 2017-02-02 21:04:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html

Comment 16 Timothy Walsh 2017-02-13 04:09:56 UTC
Statement:

Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171

Comment 18 errata-xmlrpc 2017-03-07 19:10:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html

Comment 19 errata-xmlrpc 2017-03-07 19:14:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456

Comment 20 errata-xmlrpc 2017-03-07 19:19:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455

Comment 21 errata-xmlrpc 2017-03-15 13:02:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0527 https://rhn.redhat.com/errata/RHSA-2017-0527.html

Comment 24 errata-xmlrpc 2017-04-12 15:04:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0935 https://access.redhat.com/errata/RHSA-2017:0935