(IBM Issues Fix for IBM Rational License Key Server) Apache Tomcat Lets Remote Users Conduct HTTP Response Splitting Attacks
|
|
SecurityTracker Alert ID: 1037609 |
|
SecurityTracker URL: http://securitytracker.com/id/1037609
|
|
CVE Reference:
CVE-2016-6816
(Links to External Site)
|
Date: Jan 18 2017
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 8.1.4, 8.1.4.2, 8.1.4.3, 8.1.4.4, 8.1.4.5, 8.1.4.6, 8.1.4.7, 8.1.4.8, 8.1.4.9
|
Description:
A vulnerability was reported in Apache Tomcat. A remote user can conduct HTTP response splitting attacks. IBM Rational License Key Server Administration and Reporting Tool is affected.
A remote user can submit a specially crafted URL to cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt to poison any intermediate web caches, or conduct cross-site scripting attacks.
Regis Leroy from Makina Corpus reported this vulnerability.
|
Impact:
A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user may be able to poison any intermediate web caches with arbitrary content.
|
Solution:
IBM has issued a fix for IBM Rational License Key Server Administration and Reporting Tool.
The IBM advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21995664
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21995664 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
