Bug 1422148 (CVE-2017-6056) - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests
Summary: CVE-2017-6056 tomcat: Infinite loop in the processing of https requests
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-6056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1423440 1423452 1423453 1430252
Blocks: 1422150 1428993
TreeView+ depends on / blocked
 
Reported: 2017-02-14 15:24 UTC by Andrej Nemec
Modified: 2021-10-21 11:51 UTC (History)
34 users (show)

Fixed In Version: tomcat 8.0.19, tomcat 7.0.60, tomcat 6.0.44
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
Clone Of:
Environment:
Last Closed: 2021-10-21 11:51:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0517 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-05-03 01:58:28 UTC
Red Hat Product Errata RHSA-2017:0826 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5 2017-03-22 20:46:23 UTC
Red Hat Product Errata RHSA-2017:0827 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6 2017-03-22 20:43:37 UTC
Red Hat Product Errata RHSA-2017:0828 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7 2017-03-22 20:40:43 UTC
Red Hat Product Errata RHSA-2017:0829 0 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2017-03-22 21:11:17 UTC

Description Andrej Nemec 2017-02-14 15:24:57 UTC 
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

Upstream patch:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Upstream bug:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57544
Comment 8 Andrej Nemec 2017-03-01 15:16:13 UTC 
External References:

http://tomcat.apache.org/security-7.html
https://access.redhat.com/articles/2991951
Comment 9 errata-xmlrpc 2017-03-14 17:33:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.14 

Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html
Comment 11 errata-xmlrpc 2017-03-22 16:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html
Comment 12 errata-xmlrpc 2017-03-22 16:51:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html
Comment 13 errata-xmlrpc 2017-03-22 16:52:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html
Comment 14 errata-xmlrpc 2017-03-22 17:12:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html
Comment 16 Tomas Hoger 2017-04-05 14:09:34 UTC 
Upstream commits for 6.0 and 7.0:

https://github.com/apache/tomcat60/commit/a7a913dd6c88342d36bbac800056cb6c9376e293
https://github.com/apache/tomcat70/commit/6bd022b904429148610b9fb4cdc8082f20a93ccb
Comment 19 Timothy Walsh 2017-04-11 00:10:51 UTC 
Statement:

This issue was made easier to exploit, causing a denial of service when the patch for CVE-2016-6816 was present and the patch that corrected this flaw was not.  The issue was not classified as a security flaw upstream.  It was corrected in products like Red Hat Enterprise Linux 6 and 7 and JBoss Enterprise Web Server 3 prior to the fix for CVE-2016-6816 being applied.  This was not the case for JBoss Enterprise Application Server 6.  As a result, only EAP 6.4.13 is vulnerable to this issue and 6.4.14 corrects it.  For further information, refer to https://access.redhat.com/articles/2991951
Note You need to log in before you can comment on or make changes to this bug.