[SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure

[Mark Thomas <ma...@apache.org>]

CVE-2016-6816 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected.

Description
The code that parsed the HTTP request line permitted invalid characters.
This could be exploited, in conjunction with a proxy that also permitted
the invalid characters but with a different interpretation, to inject
data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack and/or obtain
sensitive information from requests other then their own.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M13 or later
  (Apache Tomcat 9.0.0.M12 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.8 or later
  (Apache Tomcat 8.5.7 has the fix but was not released)
- Upgrade to Apache Tomcat 8.0.39 or later
- Upgrade to Apache Tomcat 7.0.73 or later
- Upgrade to Apache Tomcat 6.0.48 or later

Credit:
This issue was discovered by Regis Leroy from Makina Corpus.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

Re: [SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure

[Utkarsh Dave <ut...@gmail.com>]

Please ignore my previous mail. I got the correct one
https://tomcat.apache.org/security-7.html



On Sun, Nov 27, 2016 at 6:41 PM, Utkarsh Dave <ut...@gmail.com>
wrote:

> Hi All
>
> This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to
> 9.0.0.M11" on another url https://tomcat.apache.org/security-9.html.
> But in the mail it says Tomcat 7 is also affected.
> Does this vulnerability affects version 7.0.72
>
> -Regards
> Utkarsh
>
> On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote:
>
>> CVE-2016-6816 Apache Tomcat Information Disclosure
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.0.M11
>> Apache Tomcat 8.5.0 to 8.5.6
>> Apache Tomcat 8.0.0.RC1 to 8.0.38
>> Apache Tomcat 7.0.0 to 7.0.72
>> Apache Tomcat 6.0.0 to 6.0.47
>> Earlier, unsupported versions may also be affected.
>>
>> Description
>> The code that parsed the HTTP request line permitted invalid characters.
>> This could be exploited, in conjunction with a proxy that also permitted
>> the invalid characters but with a different interpretation, to inject
>> data into the HTTP response. By manipulating the HTTP response the
>> attacker could poison a web-cache, perform an XSS attack and/or obtain
>> sensitive information from requests other then their own.
>>
>> Mitigation
>> Users of affected versions should apply one of the following mitigations
>> - Upgrade to Apache Tomcat 9.0.0.M13 or later
>>   (Apache Tomcat 9.0.0.M12 has the fix but was not released)
>> - Upgrade to Apache Tomcat 8.5.8 or later
>>   (Apache Tomcat 8.5.7 has the fix but was not released)
>> - Upgrade to Apache Tomcat 8.0.39 or later
>> - Upgrade to Apache Tomcat 7.0.73 or later
>> - Upgrade to Apache Tomcat 6.0.48 or later
>>
>> Credit:
>> This issue was discovered by Regis Leroy from Makina Corpus.
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>> [3] http://tomcat.apache.org/security-7.html
>> [4] http://tomcat.apache.org/security-6.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>

Re: [SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure

[Utkarsh Dave <ut...@gmail.com>]

Hi All

This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to
9.0.0.M11" on another url https://tomcat.apache.org/security-9.html.
But in the mail it says Tomcat 7 is also affected.
Does this vulnerability affects version 7.0.72

-Regards
Utkarsh

On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote:

> CVE-2016-6816 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M11
> Apache Tomcat 8.5.0 to 8.5.6
> Apache Tomcat 8.0.0.RC1 to 8.0.38
> Apache Tomcat 7.0.0 to 7.0.72
> Apache Tomcat 6.0.0 to 6.0.47
> Earlier, unsupported versions may also be affected.
>
> Description
> The code that parsed the HTTP request line permitted invalid characters.
> This could be exploited, in conjunction with a proxy that also permitted
> the invalid characters but with a different interpretation, to inject
> data into the HTTP response. By manipulating the HTTP response the
> attacker could poison a web-cache, perform an XSS attack and/or obtain
> sensitive information from requests other then their own.
>
> Mitigation
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M13 or later
>   (Apache Tomcat 9.0.0.M12 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.8 or later
>   (Apache Tomcat 8.5.7 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.0.39 or later
> - Upgrade to Apache Tomcat 7.0.73 or later
> - Upgrade to Apache Tomcat 6.0.48 or later
>
> Credit:
> This issue was discovered by Regis Leroy from Makina Corpus.
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> [4] http://tomcat.apache.org/security-6.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>