Apache vulnerability CVE-2016-8743

2017-02-0323:10:00

support.f5.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

64.2%

JSON

Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Accepting these different behaviors represented a security concern when httpd participates in any chain of proxies or interacts with back-end application servers, either through mod_proxy or using conventional CGI mechanisms, and may result in request smuggling, response splitting and cache pollution. (CVE-2016-8743)

Impact

An attacker may be able to perform HTTP request smuggling through specially crafted HTTP requests. For more information about HTTP request smuggling, refer to Section 9.5 Request Smuggling of Internet Engineering Task Force (RFC 7230).

Note: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.

CPENameOperatorVersion
big-iq centralized managementle5.1.0
big-ip aamle14.1.0
big-ip afmle14.1.0
big-ip analyticsle14.1.0
big-ip apmle14.1.0
big-ip asmle14.1.0
big-ip dnsle14.1.0
big-ip gtmle14.1.0
big-ip link controllerle14.1.0
big-ip ltmle14.1.0

Name	Operator	Version
big-iq centralized management	le	5.1.0
big-ip aam	le	14.1.0
big-ip afm	le	14.1.0
big-ip analytics	le	14.1.0
big-ip apm	le	14.1.0
big-ip asm	le	14.1.0
big-ip dns	le	14.1.0
big-ip gtm	le	14.1.0
big-ip link controller	le	14.1.0
big-ip ltm	le	14.1.0