400 Error on Apache HTTPD after security update CVE-2016-8743

Solution Verified - Updated -

Issue

  • 400 Error on the httpd server after security update - CVE-2016-8743
  • Version httpd-2.4.6-45 will not allow this request and will throw HTTP 400 error, and below is the corresponding error log :
####### error Logs :
[Tue Nov 14 05:46:37.239592 2017] [core:debug] [pid 8344:tid 139677243242240] protocol.c(839): [client 127.0.0.1:6231] AH03448: HTTP Request Line; Excess whitespace (disallowed by HttpProtocolOptions Strict
[Tue Nov 14 05:46:38.240954 2017] [core:debug] [pid 8351:tid 139677243770624] protocol.c(839): [client 127.0.0.1:6231] AH03448: HTTP Request Line; Excess whitespace (disallowed by HttpProtocolOptions Strict
  • Or:
[Mon May 04 11:13:21.684695 2020] [core:debug] [pid 19146:tid 140173291640576] protocol.c(917): [client 127.0.0.1:49436] AH02418: HTTP Request Line; Unrecognized protocol 'HTTP/1.0\\n' (perhaps whitespace was injected?)
  • The following error is happening:
[Thu Jun 28 14:04:41.595485 2018] [core:debug] [pid 29520:tid 9116] protocol.c(1383): [client 10.122.0.35:54497] AH00569: client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /heartbeat.html

Environment

  • Red Hat Enterprise Linux
    • 7.x
    • 6.x
  • Red Hat Software Collections
    • 2.x
    • 3.x
  • JBoss Core Services (JBCS)
  • Apache HTTPD
    • 2.4.6
    • 2.2.32

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In