400 Error on Apache HTTPD after security update CVE-2016-8743

Solution Verified - Updated -

Issue

  • 400 Error on the httpd server after security update - CVE-2016-8743
  • Version httpd-2.4.6-45 will not allow this request and will throw HTTP 400 error, and below is the corresponding error log :
####### error Logs :
[Tue Nov 14 05:46:37.239592 2017] [core:debug] [pid 8344:tid 139677243242240] protocol.c(839): [client 127.0.0.1:6231] AH03448: HTTP Request Line; Excess whitespace (disallowed by HttpProtocolOptions Strict
[Tue Nov 14 05:46:38.240954 2017] [core:debug] [pid 8351:tid 139677243770624] protocol.c(839): [client 127.0.0.1:6231] AH03448: HTTP Request Line; Excess whitespace (disallowed by HttpProtocolOptions Strict
  • Or:
[Mon May 04 11:13:21.684695 2020] [core:debug] [pid 19146:tid 140173291640576] protocol.c(917): [client 127.0.0.1:49436] AH02418: HTTP Request Line; Unrecognized protocol 'HTTP/1.0\\n' (perhaps whitespace was injected?)
  • The following error is happening:
[Thu Jun 28 14:04:41.595485 2018] [core:debug] [pid 29520:tid 9116] protocol.c(1383): [client 10.122.0.35:54497] AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /heartbeat.html

Environment

  • Red Hat Enterprise Linux
    • 7.x
    • 6.x
  • Red Hat Software Collections
    • 2.x
    • 3.x
  • JBoss Core Services (JBCS)
  • Apache HTTPD
    • 2.4.6
    • 2.2.32

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content