Request with invalid characters receives 505 instead of 400

Solution Verified - Updated 14 Jun 2024

Environment

JBoss Enterprise Application Platform (EAP)
- 6.4.13
- 6.4.14
- 6.4.15
- 6.4.16

Issue

Requests with invalid characters (per CVE-2016-6816) receive a 505 response. We would expect something like a 400 response.

Resolution

This content is not included.Upgrade to 6.4.17. The response code will then be 400 as expected.

Root Cause

This content is not included.BZ-1433123
The response is initially set to 400 due to the invalid characters. But the request processing continued into the Http11processor.prepareRequest call. Because of the prior request line parsing issues, this call now does not see a proper protocol on the request and so sets the 505 response over the 400.

The fix for CVE-2016-6816 enforces rules more strictly when handling invalid characters in HTTP requests for improved security.
As a result, any clients making requests containing any of the following ASCII characters to 6.4.13+ are impacted by this change

Control characters (values 0x01 to 0x1f, and 0x7f)
8-bit ASCII values (values > 0x7f)
Any of the following characters:

   ' ' (space character)
   '"' (double quote) 
   '#' (hash or pound) 
   '<' (less than) 
   '>' (greater than) 
   '\' (back slash) 
   '^' (circumflex) 
   '`' (backquote) 
   '{' (left squiggly bracket or brace) 
   '|' (vertical bar) 
   '}' (right squiggly bracket or brace)

SBR

Webservers

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.