You are here

Tomcat: Invalid Characters in Request Line (WAF and Login/IAM)

CVE-2016-6816, CVE-2016-8735
tomcat, cache poisoning, XSS

Apache Tomcat fixed two vulnerabilities CVE-2016-8735 and CVE-2016-6816 in version 6.0.48, 7.0.73 and 8.0.39.

Airlock WAF is not affected and protects back-end applications


Vulnerability CVE-2016-8735 affects the JMX Remote Lifecycle Listener which is not used by any Airlock product.

Vulnerability CVE-2016-6816 affects the parsing of the HTTP request line. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. [1]

Airlock WAF protects back-end systems by decoding all requests and building new, properly encoded and normalized requests.


no action required.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock