CVE-2016-8743 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2016-8743?

CVE-2016-8743 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-8743?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Clustered Data Ontap, Netapp Oncommand Unified Manager, Debian Debian Linux, Redhat Enterprise Linux Desktop.

Vulnerability Description

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Http Server	>= 2.2.0, <= 2.2.31
Netapp	Clustered Data Ontap	-
Netapp	Oncommand Unified Manager	-
Debian	Debian Linux	8.0
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Eus	7.3
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Tus	7.3
Redhat	Enterprise Linux Workstation	6.0
Redhat	Jboss Core Services	1.0
Redhat	Enterprise Linux	6.0

References

http://rhn.redhat.com/errata/RHSA-2017-1415.htmlThird Party Advisory
http://www.debian.org/security/2017/dsa-3796Third Party Advisory
http://www.securityfocus.com/bid/95077Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037508Broken LinkThird Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:0906Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1161Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1413Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1414Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1721Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_naThird Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_naThird Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-8743Vendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772

FAQ

What is CVE-2016-8743?

CVE-2016-8743 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represe...

How severe is CVE-2016-8743?

CVE-2016-8743 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8743?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Clustered Data Ontap, Netapp Oncommand Unified Manager, Debian Debian Linux, Redhat Enterprise Linux Desktop.