CVE-2016-8743
Published: 22 December 2016
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.
Notes
Author | Note |
---|---|
ratliff | Notes from Debian "The fix is not fully backwards compatible so upstream have created a new option to control this behaviour. Affects: 2.2.0 to 2.4.23." |
mdeslaur | This fix no longer allows underscores in host names. Debian added a patch to restore the behaviour: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851357 http://mail-archives.apache.org/mod_mbox/httpd-dev/201702.mbox/%3C20170202125319.GA15948%40redhat.com%3E The new configuration option doesn't entirely preserve backwards compatibility: https://bz.apache.org/bugzilla/show_bug.cgi?id=60783 |
Priority
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
trusty |
Released
(2.4.7-1ubuntu4.15)
|
|
upstream |
Released
(2.4.25-1)
|
|
xenial |
Released
(2.4.18-2ubuntu3.2)
|
|
yakkety |
Released
(2.4.18-2ubuntu4.1)
|
|
zesty |
Not vulnerable
(2.4.25-3ubuntu2)
|
|
Patches: upstream: https://svn.apache.org/r1668879 upstream: https://svn.apache.org/r1743516 upstream: https://svn.apache.org/r1773801 upstream: https://svn.apache.org/r1772678 upstream: https://svn.apache.org/r1773802 upstream: https://svn.apache.org/r1773803 upstream: https://svn.apache.org/r1773995 upstream: https://svn.apache.org/r1774429 upstream: https://svn.apache.org/r1778052 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References
- https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://ubuntu.com/security/notices/USN-3279-1
- https://ubuntu.com/security/notices/USN-3373-1
- https://www.cve.org/CVERecord?id=CVE-2016-8743
- NVD
- Launchpad
- Debian