Bug 1397484 (CVE-2016-6816)
| Summary: | CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alee, apmukher, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, epp-bugs, fnasser, gzaronik, hhorak, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, krzysztof.daniel, lgao, lmeyer, mbabacek, mbaluch, miburman, mizdebsk, mmccomas, mmiura, mnewsome, mweiler, myarboro, nobody+bgollahe, nwallace, ohudlick, pgier, psakar, pslavice, psotirop, rnetuka, rsvoboda, rzima, sdouglas, spinder, theute, ttarrant, twalsh, vhalbert, vtunka, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 6.0.48, tomcat 7.0.73, tomcat 8.0.39, tomcat 8.5.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:02:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1397493, 1397495, 1397496, 1398253, 1398254, 1399014, 1399016, 1402662, 1402663, 1402664, 1402665 | ||
| Bug Blocks: | 1397488, 1397645, 1428325, 1482229 | ||
|
Description
Adam Mariš
2016-11-22 15:56:38 UTC
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1397493] Affects: epel-6 [bug 1397495] For the record, this fix has been getting some negative responses in the community from users because of the amount of clients that use curly braces ({ and }) and the pipe symbol (|) in their requests without encoding them. Doing so will result in a 400 response after this patch is applied. Additionally, there is no workaround to change the behavior back; see https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 for information on an RFE to add an optional setting.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6 Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html Statement: Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171 This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0527 https://rhn.redhat.com/errata/RHSA-2017-0527.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0935 https://access.redhat.com/errata/RHSA-2017:0935 |