Re: [SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure

Sun, 27 Nov 2016 18:41:33 -0800 

Hi All

This vulnerability (CVE-2016-6816) is said to be "Affects: 9.0.0.M1 to
9.0.0.M11" on another url https://tomcat.apache.org/security-9.html.
But in the mail it says Tomcat 7 is also affected.
Does this vulnerability affects version 7.0.72

-Regards
Utkarsh

On Tue, Nov 22, 2016 at 1:42 AM, Mark Thomas <ma...@apache.org> wrote:

> CVE-2016-6816 Apache Tomcat Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M11
> Apache Tomcat 8.5.0 to 8.5.6
> Apache Tomcat 8.0.0.RC1 to 8.0.38
> Apache Tomcat 7.0.0 to 7.0.72
> Apache Tomcat 6.0.0 to 6.0.47
> Earlier, unsupported versions may also be affected.
>
> Description
> The code that parsed the HTTP request line permitted invalid characters.
> This could be exploited, in conjunction with a proxy that also permitted
> the invalid characters but with a different interpretation, to inject
> data into the HTTP response. By manipulating the HTTP response the
> attacker could poison a web-cache, perform an XSS attack and/or obtain
> sensitive information from requests other then their own.
>
> Mitigation
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M13 or later
>   (Apache Tomcat 9.0.0.M12 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.8 or later
>   (Apache Tomcat 8.5.7 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.0.39 or later
> - Upgrade to Apache Tomcat 7.0.73 or later
> - Upgrade to Apache Tomcat 6.0.48 or later
>
> Credit:
> This issue was discovered by Regis Leroy from Makina Corpus.
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> [4] http://tomcat.apache.org/security-6.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to