CVE-2016-4993: CRLF Injection
First published: Thu Jun 09 2016(Updated: )
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| JBoss Enterprise Application Platform | <=7.0.1 | |
| Red Hat JBoss WildFly Application Server | =10.0.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2016-1838.html
- http://rhn.redhat.com/errata/RHSA-2016-1839.html
- http://rhn.redhat.com/errata/RHSA-2016-1840.html
- http://rhn.redhat.com/errata/RHSA-2016-1841.html
- http://www.securityfocus.com/bid/92894
- http://www.securitytracker.com/id/1036758
- https://access.redhat.com/errata/RHSA-2017:3454
- https://access.redhat.com/errata/RHSA-2017:3455
- https://access.redhat.com/errata/RHSA-2017:3456
- https://access.redhat.com/errata/RHSA-2017:3458
- https://bugzilla.redhat.com/show_bug.cgi?id=1344321
- https://rhn.redhat.com/errata/RHSA-2016-1841.html
- https://rhn.redhat.com/errata/RHSA-2016-1840.html
- https://rhn.redhat.com/errata/RHSA-2016-1838.html
- https://rhn.redhat.com/errata/RHSA-2016-1839.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1344321#c26
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1344321#c38
- https://issues.jboss.org/browse/UNDERTOW-827
Frequently Asked Questions
What is the severity of CVE-2016-4993?
CVE-2016-4993 has a medium severity rating as it allows for HTTP response splitting attacks.
How do I fix CVE-2016-4993?
To fix CVE-2016-4993, upgrade to WildFly 10.0.1 or higher or JBoss EAP 7.0.2 or higher.
Which versions are affected by CVE-2016-4993?
CVE-2016-4993 affects WildFly 10.0.0 and JBoss EAP 7.x versions prior to 7.0.2.
What types of attacks can CVE-2016-4993 allow?
CVE-2016-4993 can allow attackers to conduct arbitrary HTTP header injection and HTTP response splitting attacks.
Who is vulnerable to CVE-2016-4993?
Organizations using WildFly 10.0.0 or JBoss EAP 7.x versions up to 7.0.1 are vulnerable to CVE-2016-4993.
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-4993
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.0.1
- canonical/red hat jboss wildfly application server
- version/red hat jboss wildfly application server/10.0.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0