Bug 1422148 (CVE-2017-6056)

Summary: CVE-2017-6056 tomcat: Infinite loop in the processing of https requests
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alee, bbaranow, bmaxwell, cdewolf, coolsvap, csutherl, dandread, darran.lofthouse, dosoudil, gzaronik, hhorak, ivan.afonichev, java-sig-commits, jawilson, jclere, jdoyle, jorton, jshepherd, krzysztof.daniel, lgao, mbabacek, miburman, mizdebsk, myarboro, pgier, psakar, pslavice, psotirop, rmaucher, rnetuka, rsvoboda, spinder, theute, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20150206,reported=20170214,source=debian,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,cwe=CWE-835,rhel-6/tomcat6=notaffected,rhel-7/tomcat=notaffected,rhscl-2/rh-java-common-tomcat=notaffected,jbews-2/tomcat7=notaffected,jws-3/tomcat7=affected,jws-3/tomcat8=affected,eap-6/jbossweb=affected,fedora-all/tomcat=notaffected,epel-6/tomcat=notaffected,jon-3/Core Server=wontfix
Fixed In Version: tomcat 8.0.19, tomcat 7.0.60, tomcat 6.0.44 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1423440, 1423452, 1423453, 1430252    
Bug Blocks: 1422150, 1428993    

Description Andrej Nemec 2017-02-14 15:24:57 UTC
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

Upstream patch:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Upstream bug:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57544

Comment 8 Andrej Nemec 2017-03-01 15:16:13 UTC
External References:

http://tomcat.apache.org/security-7.html
https://access.redhat.com/articles/2991951

Comment 9 errata-xmlrpc 2017-03-14 17:33:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.14 

Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html

Comment 11 errata-xmlrpc 2017-03-22 16:50:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html

Comment 12 errata-xmlrpc 2017-03-22 16:51:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html

Comment 13 errata-xmlrpc 2017-03-22 16:52:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html

Comment 14 errata-xmlrpc 2017-03-22 17:12:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html

Comment 19 Timothy Walsh 2017-04-11 00:10:51 UTC
Statement:

This issue was made easier to exploit, causing a denial of service when the patch for CVE-2016-6816 was present and the patch that corrected this flaw was not.  The issue was not classified as a security flaw upstream.  It was corrected in products like Red Hat Enterprise Linux 6 and 7 and JBoss Enterprise Web Server 3 prior to the fix for CVE-2016-6816 being applied.  This was not the case for JBoss Enterprise Application Server 6.  As a result, only EAP 6.4.13 is vulnerable to this issue and 6.4.14 corrects it.  For further information, refer to https://access.redhat.com/articles/2991951