Bug 1397484 (CVE-2016-6816) - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
Summary: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-6816
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161122,repor...
Depends On: 1397493 1397495 1397496 1398253 1398254 1399014 1399016 1402662 1402663 1402664 1402665
Blocks: 1397488 1397645 1428325 1482229
TreeView+ depends on / blocked
 
Reported: 2016-11-22 15:56 UTC by Adam Mariš
Modified: 2019-06-13 14:48 UTC (History)
71 users (show)

Fixed In Version: tomcat 6.0.48, tomcat 7.0.73, tomcat 8.0.39, tomcat 8.5.8
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:02:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0244 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:39:38 UTC
Red Hat Product Errata RHSA-2017:0245 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:36:51 UTC
Red Hat Product Errata RHSA-2017:0246 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:33:58 UTC
Red Hat Product Errata RHSA-2017:0247 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2017-05-03 01:58:19 UTC
Red Hat Product Errata RHSA-2017:0250 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2017-02-03 02:03:53 UTC
Red Hat Product Errata RHSA-2017:0455 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:40 UTC
Red Hat Product Errata RHSA-2017:0456 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:06 UTC
Red Hat Product Errata RHSA-2017:0457 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and enhancement update 2017-03-08 00:05:59 UTC
Red Hat Product Errata RHSA-2017:0527 normal SHIPPED_LIVE Moderate: tomcat6 security update 2017-03-15 17:01:42 UTC
Red Hat Product Errata RHSA-2017:0935 normal SHIPPED_LIVE Moderate: tomcat security update 2017-04-12 19:02:18 UTC

Description Adam Mariš 2016-11-22 15:56:38 UTC
The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Affects: 6.0.0 to 6.0.47, 7.0.0 to 7.0.72, 8.0.0.RC1 to 8.0.38, 8.5.0 to 8.5.6

Upstream patches:

Tomcat 6.0.48: https://svn.apache.org/viewvc?view=rev&rev=1767683
Tomcat 7.0.73: http://svn.apache.org/viewvc?view=rev&rev=1767675
Tomcat 8.0.39: http://svn.apache.org/viewvc?view=rev&rev=1767653
Tomcat 8.5.8: http://svn.apache.org/viewvc?view=rev&rev=1767645

External References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8
https://access.redhat.com/solutions/2891171
https://access.redhat.com/articles/2991951

Comment 2 Adam Mariš 2016-11-22 16:09:57 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1397493]
Affects: epel-6 [bug 1397495]

Comment 10 Coty Sutherland 2017-01-24 20:30:07 UTC
For the record, this fix has been getting some negative responses in the community from users because of the amount of clients that use curly braces ({ and }) and the pipe symbol (|) in their requests without encoding them. Doing so will result in a 400 response after this patch is applied. Additionally, there is no workaround to change the behavior back; see https://bz.apache.org/bugzilla/show_bug.cgi?id=60594 for information on an RFE to add an optional setting.

Comment 11 errata-xmlrpc 2017-02-02 20:24:07 UTC
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform 6

Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html

Comment 12 errata-xmlrpc 2017-02-02 20:44:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html

Comment 13 errata-xmlrpc 2017-02-02 20:46:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html

Comment 14 errata-xmlrpc 2017-02-02 20:47:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html

Comment 15 errata-xmlrpc 2017-02-02 21:04:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html

Comment 16 Timothy Walsh 2017-02-13 04:09:56 UTC
Statement:

Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171

Comment 18 errata-xmlrpc 2017-03-07 19:10:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html

Comment 19 errata-xmlrpc 2017-03-07 19:14:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456

Comment 20 errata-xmlrpc 2017-03-07 19:19:27 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455

Comment 21 errata-xmlrpc 2017-03-15 13:02:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0527 https://rhn.redhat.com/errata/RHSA-2017-0527.html

Comment 24 errata-xmlrpc 2017-04-12 15:04:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:0935 https://access.redhat.com/errata/RHSA-2017:0935


Note You need to log in before you can comment on or make changes to this bug.