CVE-2017-7656 HTTP Request Smuggling when used with invalid request headers for HTTP/0.9.
Article ID: 122904
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
Vulnerability report shows "CVE-2017-7656: HTTP Request Smuggling when used with invalid request headers for HTTP/0.9."
Library names:
jetty-http
jetty-server
jetty-util
jetty-servlet
Is Identity Manager exposed to this vulnerability?
Environment
Release:
Component: IDMGR
Component: IDMGR
Resolution
Identity Manager is not exposed to this vulnerability.
Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.
Identity Manager system uses an Application Server to carry out the communication between Identity Manager User Console and Java Connector Server (JCS). Jetty is part of JCS and from deployment standpoint, JCS is positioned behind the Application Server. It is no way exposed to external interfaces to carry out any HTTP requests. Hence, IMS is not vulnerable to perform HTTP request smuggling with invalid request header for HTTP/0.9, HTTP request smuggling with invalid body content of HTTP/1.1 and to interpret the boundary of the HTTP request differently with more than one Content-Length headers.
Feedback
Yes
No
Powered by
