The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. Affects: 6.0.0 to 6.0.47, 7.0.0 to 7.0.72, 8.0.0.RC1 to 8.0.38, 8.5.0 to 8.5.6 Upstream patches: Tomcat 6.0.48: https://svn.apache.org/viewvc?view=rev&rev=1767683 Tomcat 7.0.73: http://svn.apache.org/viewvc?view=rev&rev=1767675 Tomcat 8.0.39: http://svn.apache.org/viewvc?view=rev&rev=1767653 Tomcat 8.5.8: http://svn.apache.org/viewvc?view=rev&rev=1767645 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8 https://access.redhat.com/solutions/2891171 https://access.redhat.com/articles/2991951
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1397493] Affects: epel-6 [bug 1397495]
For the record, this fix has been getting some negative responses in the community from users because of the amount of clients that use curly braces ({ and }) and the pipe symbol (|) in their requests without encoding them. Doing so will result in a 400 response after this patch is applied. Additionally, there is no workaround to change the behavior back; see https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 for information on an RFE to add an optional setting.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6 Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html
Statement: Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0527 https://rhn.redhat.com/errata/RHSA-2017-0527.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:0935 https://access.redhat.com/errata/RHSA-2017:0935