You are here

Home › Tomcat: Invalid Characters in Request Line (WAF and Login/IAM)

Tomcat: Invalid Characters in Request Line (WAF and Login/IAM)

Submitted on 29. November 2016 - 9:04 by erwin.
Last update on 19. June 2017 - 15:34.
IDs: 
CVE-2016-6816, CVE-2016-8735
Keywords: 
tomcat, cache poisoning, XSS
Description: 

Apache Tomcat fixed two vulnerabilities CVE-2016-8735 and CVE-2016-6816 in version 6.0.48, 7.0.73 and 8.0.39.

Airlock WAF is not affected and protects back-end applications

Details:

Vulnerability CVE-2016-8735 affects the JMX Remote Lifecycle Listener which is not used by any Airlock product.

Vulnerability CVE-2016-6816 affects the parsing of the HTTP request line. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. [1]

Airlock WAF protects back-end systems by decoding all requests and building new, properly encoded and normalized requests.

Resolution: 

no action required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] https://tomcat.apache.org/security-7.html
© Ergon Informatik AG