Bug 1441230 (CVE-2017-5650)

Summary: CVE-2017-5650 tomcat: Handling of HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alazarot, alee, bbaranow, bmaxwell, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dosoudil, etirelli, felias, gvarsami, gzaronik, hchiorea, hhorak, huwang, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jolee, jorton, jshepherd, kconner, krzysztof.daniel, kverlaen, ldimaggi, lgao, lpetrovi, mbabacek, mbaluch, mizdebsk, mwinkler, myarboro, nwallace, pavelp, pgier, psakar, pslavice, psotirop, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, spinder, tcunning, theute, tkirby, trick, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: tomcat 8.5.13 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-04-18 06:01:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1441210    

Description Adam Mariš 2017-04-11 13:10:58 UTC
The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Affected versions: 8.5.0 to 8.5.12

Upstream fix:




Comment 1 Adam Mariš 2017-04-11 13:33:02 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1441242]