CWE
79
Advisory Published

RHSA-2017:0527: Moderate: tomcat6 security update

First published: Wed Mar 15 2017(Updated: )

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.<br>Security Fix(es):<br><li> It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)</li> Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error when request contains characters that are not permitted by the HTTP specification to appear not encoded, even though they were previously accepted. The newly introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|) in not encoded form, as these are often used in URLs without being properly encoded. <br><li> A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)</li>

Affected SoftwareAffected VersionHow to fix
redhat/tomcat6<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6-admin-webapps<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6-docs-webapp<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6-el<2.1-api-6.0.24-105.el6_8
2.1-api-6.0.24-105.el6_8
redhat/tomcat6-javadoc<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6-jsp<2.1-api-6.0.24-105.el6_8
2.1-api-6.0.24-105.el6_8
redhat/tomcat6-lib<6.0.24-105.el6_8
6.0.24-105.el6_8
redhat/tomcat6-servlet<2.5-api-6.0.24-105.el6_8
2.5-api-6.0.24-105.el6_8
redhat/tomcat6-webapps<6.0.24-105.el6_8
6.0.24-105.el6_8

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of RHSA-2017:0527?

    The severity of RHSA-2017:0527 is classified as moderate.

  • How do I fix RHSA-2017:0527?

    To fix RHSA-2017:0527, update your Apache Tomcat to version 6.0.24-105.el6_8 or later.

  • What vulnerabilities does RHSA-2017:0527 address?

    RHSA-2017:0527 addresses vulnerabilities related to improper parsing of the HTTP request line.

  • Which versions of Apache Tomcat are affected by RHSA-2017:0527?

    Apache Tomcat versions prior to 6.0.24-105.el6_8 are affected by RHSA-2017:0527.

  • Where can I find more information about RHSA-2017:0527?

    More information about RHSA-2017:0527 can typically be found within your system's package management system or security advisories.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203