Bug 1344321 (CVE-2016-4993) - CVE-2016-4993 eap: HTTP header injection / response splitting
Summary: CVE-2016-4993 eap: HTTP header injection / response splitting
Status: NEW
Alias: CVE-2016-4993
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160908,repor...
Keywords: Security
Depends On: 1349290 1349292 1349293 1349294 1349295
Blocks: 1344323 1520314
TreeView+ depends on / blocked
 
Reported: 2016-06-09 12:13 UTC by Adam Mariš
Modified: 2019-06-18 06:50 UTC (History)
59 users (show)

(edit)
It was reported that EAP 7 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1838 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 on RHEL 6 2016-09-08 22:17:08 UTC
Red Hat Product Errata RHSA-2016:1839 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 for RHEL 7 2016-09-08 22:38:52 UTC
Red Hat Product Errata RHSA-2016:1840 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security, bug fix, and enhancement update 2016-09-08 22:14:07 UTC
Red Hat Product Errata RHSA-2016:1841 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 7.0.2 2016-09-08 22:12:58 UTC
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC

Description Adam Mariš 2016-06-09 12:13:48 UTC
It was reported that WildFly 10.0.0 Application Server/Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also Response Splitting, due to insufficient sanitisation and validation of user input before the input is used as part of a HTTP header value.

Using newline characters injected into the HTTP headers, it is possible for the malicious user to add arbitrary headers such as Set-Cookie to set arbitrary cookies, or potentially use a Location header for an open-redirect. By using two newline characters the attacker can 'split' the response (HTTP Response Splitting) and provide their own content that will be rendered to the victim user.

Comment 1 Adam Mariš 2016-06-09 12:13:53 UTC
Acknowledgments:

Name: Calum Hutton (NCC Group), Mikhail Egorov (Odin)

Comment 21 errata-xmlrpc 2016-09-08 18:19:33 UTC
This issue has been addressed in the following products:



Via RHSA-2016:1841 https://rhn.redhat.com/errata/RHSA-2016-1841.html

Comment 22 errata-xmlrpc 2016-09-08 18:20:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1840 https://rhn.redhat.com/errata/RHSA-2016-1840.html

Comment 23 errata-xmlrpc 2016-09-08 18:21:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2016:1838 https://rhn.redhat.com/errata/RHSA-2016-1838.html

Comment 24 errata-xmlrpc 2016-09-08 18:41:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2016:1839 https://rhn.redhat.com/errata/RHSA-2016-1839.html

Comment 25 jkeilson 2016-10-14 17:46:42 UTC
What versions of undertow are affected? Can you link to the upstream bug report?

Comment 26 Bharti Kundal 2016-10-14 18:25:24 UTC
@jkeilson@anthemengineering.com :Wildfly 10.0.0  is vulnerable.

Comment 27 jkeilson 2016-10-14 18:32:14 UTC
(In reply to Bharti Kundal from comment #26)
> @jkeilson@anthemengineering.com :Wildfly 10.0.0  is vulnerable.

So older versions of wildfly are not affected?

Comment 30 errata-xmlrpc 2017-12-13 17:31:30 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 31 errata-xmlrpc 2017-12-13 18:19:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 32 errata-xmlrpc 2017-12-13 18:40:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 33 errata-xmlrpc 2017-12-13 18:45:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 38 Salvatore Bonaccorso 2018-05-26 12:35:41 UTC
Hi

Since this issue refers to an issue in undertow server, can you point to the respective undertow issue and/or upstream fix? 

Thanks in advance,

Regards,
Salvatore

Comment 39 Bharti Kundal 2018-05-28 00:33:21 UTC
(In reply to Salvatore Bonaccorso from comment #38)
> Hi
> 
> Since this issue refers to an issue in undertow server, can you point to the
> respective undertow issue and/or upstream fix? 
> 
> Thanks in advance,
> 
> Regards,
> Salvatore

Hi Salvatore,

Here is the upstream JIRA issue https://issues.jboss.org/browse/UNDERTOW-827.

Hope this helps.

Regards,
Bharti


Note You need to log in before you can comment on or make changes to this bug.