You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/11/22 09:42:32 UTC
[SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure
CVE-2016-6816 Apache Tomcat Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected.
Description
The code that parsed the HTTP request line permitted invalid characters.
This could be exploited, in conjunction with a proxy that also permitted
the invalid characters but with a different interpretation, to inject
data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack and/or obtain
sensitive information from requests other then their own.
Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M13 or later
(Apache Tomcat 9.0.0.M12 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.8 or later
(Apache Tomcat 8.5.7 has the fix but was not released)
- Upgrade to Apache Tomcat 8.0.39 or later
- Upgrade to Apache Tomcat 7.0.73 or later
- Upgrade to Apache Tomcat 6.0.48 or later
Credit:
This issue was discovered by Regis Leroy from Makina Corpus.
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
Re: [SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure
Posted by Utkarsh Dave <ut...@gmail.com>.
Please ignore my previous mail. I got the correct one
https://tomcat.apache.org/security-7.html
On Sun, Nov 27, 2016 at 6:41 PM, Utkarsh Dave <ut...@gmail.com>
wrote:
> Hi All
>
> This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to
> 9.0.0.M11" on another url https://tomcat.apache.org/security-9.html.
> But in the mail it says Tomcat 7 is also affected.
> Does this vulnerability affects version 7.0.72
>
> -Regards
> Utkarsh
>
> On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote:
>
>> CVE-2016-6816 Apache Tomcat Information Disclosure
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.0.M11
>> Apache Tomcat 8.5.0 to 8.5.6
>> Apache Tomcat 8.0.0.RC1 to 8.0.38
>> Apache Tomcat 7.0.0 to 7.0.72
>> Apache Tomcat 6.0.0 to 6.0.47
>> Earlier, unsupported versions may also be affected.
>>
>> Description
>> The code that parsed the HTTP request line permitted invalid characters.
>> This could be exploited, in conjunction with a proxy that also permitted
>> the invalid characters but with a different interpretation, to inject
>> data into the HTTP response. By manipulating the HTTP response the
>> attacker could poison a web-cache, perform an XSS attack and/or obtain
>> sensitive information from requests other then their own.
>>
>> Mitigation
>> Users of affected versions should apply one of the following mitigations
>> - Upgrade to Apache Tomcat 9.0.0.M13 or later
>> (Apache Tomcat 9.0.0.M12 has the fix but was not released)
>> - Upgrade to Apache Tomcat 8.5.8 or later
>> (Apache Tomcat 8.5.7 has the fix but was not released)
>> - Upgrade to Apache Tomcat 8.0.39 or later
>> - Upgrade to Apache Tomcat 7.0.73 or later
>> - Upgrade to Apache Tomcat 6.0.48 or later
>>
>> Credit:
>> This issue was discovered by Regis Leroy from Makina Corpus.
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>> [3] http://tomcat.apache.org/security-7.html
>> [4] http://tomcat.apache.org/security-6.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: [SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure
Posted by Utkarsh Dave <ut...@gmail.com>.
Hi All
This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to
9.0.0.M11" on another url https://tomcat.apache.org/security-9.html.
But in the mail it says Tomcat 7 is also affected.
Does this vulnerability affects version 7.0.72
-Regards
Utkarsh
On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote:
> CVE-2016-6816 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M11
> Apache Tomcat 8.5.0 to 8.5.6
> Apache Tomcat 8.0.0.RC1 to 8.0.38
> Apache Tomcat 7.0.0 to 7.0.72
> Apache Tomcat 6.0.0 to 6.0.47
> Earlier, unsupported versions may also be affected.
>
> Description
> The code that parsed the HTTP request line permitted invalid characters.
> This could be exploited, in conjunction with a proxy that also permitted
> the invalid characters but with a different interpretation, to inject
> data into the HTTP response. By manipulating the HTTP response the
> attacker could poison a web-cache, perform an XSS attack and/or obtain
> sensitive information from requests other then their own.
>
> Mitigation
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M13 or later
> (Apache Tomcat 9.0.0.M12 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.8 or later
> (Apache Tomcat 8.5.7 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.0.39 or later
> - Upgrade to Apache Tomcat 7.0.73 or later
> - Upgrade to Apache Tomcat 6.0.48 or later
>
> Credit:
> This issue was discovered by Regis Leroy from Makina Corpus.
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> [4] http://tomcat.apache.org/security-6.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>