CVE-2016-6816
HTTP response injection vulnerability in tomcat-coyote (Maven)
What is CVE-2016-6816 About?
This vulnerability in Apache Tomcat allows HTTP response injection due to improper parsing of invalid characters in the HTTP request line. When combined with a proxy that handles invalid characters differently, it can lead to web-cache poisoning or XSS attacks. Exploitation is moderate, requiring specific conditions and a proxy.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >6.0.0, <6.0.48
- >8.5.0, <8.5.8
- >7.0.0, <7.0.73
- >8.0.0RC1, <8.0.39
- >9.0.0.M1, <9.0.0.M12
Technical Details
The vulnerability exists in various Apache Tomcat versions (9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47) where the code parsing the HTTP request line permits invalid characters. When Tomcat processes these invalid characters, it may interpret them differently than an intermediary proxy server. This discrepancy, when an attacker sends a request with specially crafted invalid characters in the HTTP request line, can allow data to be injected into the HTTP response returned by Tomcat. This injection can then be used by the attacker, potentially in conjunction with the proxy's different interpretation, to poison a web-cache, perform a cross-site scripting (XSS) attack on a victim's browser, or obtain sensitive information from requests not intended for them by manipulating response headers or content.
What is the Impact of CVE-2016-6816?
Successful exploitation may allow attackers to poison web caches, perform Cross-Site Scripting (XSS) attacks, or obtain sensitive information from other user requests.
What is the Exploitability of CVE-2016-6816?
Exploitation is of moderate complexity. It requires specific conditions, primarily the presence of an intermediary proxy that interprets invalid characters in HTTP request lines differently than the vulnerable Tomcat server. No specific authentication or privilege is typically required for this type of HTTP request manipulation. The attack is remote, targeting the interaction between the client, proxy, and web server. The main risk factors include the deployment of vulnerable Tomcat versions behind specific proxy configurations, amplifying the potential for response manipulation. The attacker would craft a request containing invalid characters to trigger the discrepancy and inject malicious content into the response.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-6816?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat-coyote
- >6.0.0, <6.0.48 → Upgrade to 6.0.48
- org.apache.tomcat:tomcat-coyote
- >7.0.0, <7.0.73 → Upgrade to 7.0.73
- org.apache.tomcat:tomcat-coyote
- >8.0.0RC1, <8.0.39 → Upgrade to 8.0.39
- org.apache.tomcat:tomcat-coyote
- >8.5.0, <8.5.8 → Upgrade to 8.5.8
- org.apache.tomcat:tomcat-coyote
- >9.0.0.M1, <9.0.0.M12 → Upgrade to 9.0.0.M12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://usn.ubuntu.com/4557-1
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- http://rhn.redhat.com/errata/RHSA-2017-0527.html
- https://github.com/apache/tomcat/commit/f96f5751d418ae5a2f550be040daf9c5f7d99256
- https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48
- https://access.redhat.com/errata/RHSA-2017:0935
- http://rhn.redhat.com/errata/RHSA-2017-0246.html
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39
What are Similar Vulnerabilities to CVE-2016-6816?
Similar Vulnerabilities: CVE-2007-0466 , CVE-2008-2370 , CVE-2014-0096 , CVE-2016-6815 , CVE-2019-0232
