Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2018-1067

Related Vulnerabilities: CVE-2018-1067  

It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

Source
It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

Find out more about CVE-2018-1067 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 5.4
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) RHSA-2018:2643 2018-09-04
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:1248 2018-04-25
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2018:1249 2018-04-25
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:1247 2018-04-25
Red Hat JBoss EAP 7.1 RHSA-2018:1251 2018-04-25
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2018:1249 2018-04-25

Affected Packages State

Platform Package State
Red Hat Virtualization 4 eap7-undertow Affected
Red Hat Virtualization 4 eap7-wildfly Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat Single Sign-On 7 wildfly Under investigation
Red Hat OpenShift Application Runtimes 1.0 swarm Affected
Red Hat JBoss Fuse Service Works 6 jbossweb Will not fix
Red Hat JBoss Fuse 6 jbossweb Will not fix
Red Hat JBoss Enterprise SOA Platform 5 jbossweb Will not fix
Red Hat JBoss EWS 2 tomcat7 Not affected
Red Hat JBoss EWS 2 tomcat6 Not affected
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Under investigation
Red Hat JBoss Data Grid 7 wildfly Under investigation
Red Hat JBoss Data Grid 6 jbossweb Under investigation
Red Hat JBoss BRMS 5 jbossweb Will not fix
Red Hat Enterprise Linux 7 tomcat Not affected
Red Hat Enterprise Linux 6 tomcat6 Not affected
Red Hat Enterprise Linux 5 tomcat5 Not affected

Acknowledgements

Red Hat would like to thank Ammarit Thongthua (Deloitte Thailand Pentest team) and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting this issue.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started