Bug 1422148 – CVE-2017-6056 tomcat: Infinite loop in the processing of https requests

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1422148 - (CVE-2017-6056) CVE-2017-6056 tomcat: Infinite loop in the processing of https requests

Summary:	CVE-2017-6056 tomcat: Infinite loop in the processing of https requests

Status:	NEW

Aliases:	CVE-2017-6056

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20150206,repo...
Keywords:	Security

Depends On:	1423452 1423440 1423453 1430252
Blocks:	1422150 1428993
	Show dependency tree / graph

Reported:	2017-02-14 10:24 EST by Andrej Nemec
Modified:	2018-10-19 17:40 EDT (History)
CC List:	37 users (show)

See Also:
Fixed In Version:	tomcat 8.0.19, tomcat 7.0.60, tomcat 6.0.44
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0517	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-05-02 21:58:28 EDT
Red Hat Product Errata	RHSA-2017:0826	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5	2017-03-22 16:46:23 EDT
Red Hat Product Errata	RHSA-2017:0827	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6	2017-03-22 16:43:37 EDT
Red Hat Product Errata	RHSA-2017:0828	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7	2017-03-22 16:40:43 EDT
Red Hat Product Errata	RHSA-2017:0829	normal	SHIPPED_LIVE	Important: jboss-ec2-eap security, bug fix, and enhancement update	2017-03-22 17:11:17 EDT

Groups: None (edit)

Description Andrej Nemec 2017-02-14 10:24:57 EST

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

Upstream patch:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Upstream bug:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57544

Comment 8 Andrej Nemec 2017-03-01 10:16:13 EST

External References:

http://tomcat.apache.org/security-7.html
https://access.redhat.com/articles/2991951

Comment 9 errata-xmlrpc 2017-03-14 13:33:23 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.14 

Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html

Comment 11 errata-xmlrpc 2017-03-22 12:50:21 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html

Comment 12 errata-xmlrpc 2017-03-22 12:51:33 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html

Comment 13 errata-xmlrpc 2017-03-22 12:52:44 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html

Comment 14 errata-xmlrpc 2017-03-22 13:12:31 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html

Comment 16 Tomas Hoger 2017-04-05 10:09:34 EDT

Upstream commits for 6.0 and 7.0:

https://github.com/apache/tomcat60/commit/a7a913dd6c88342d36bbac800056cb6c9376e293
https://github.com/apache/tomcat70/commit/6bd022b904429148610b9fb4cdc8082f20a93ccb

Comment 19 Timothy Walsh 2017-04-10 20:10:51 EDT

Statement:

This issue was made easier to exploit, causing a denial of service when the patch for CVE-2016-6816 was present and the patch that corrected this flaw was not.  The issue was not classified as a security flaw upstream.  It was corrected in products like Red Hat Enterprise Linux 6 and 7 and JBoss Enterprise Web Server 3 prior to the fix for CVE-2016-6816 being applied.  This was not the case for JBoss Enterprise Application Server 6.  As a result, only EAP 6.4.13 is vulnerable to this issue and 6.4.14 corrects it.  For further information, refer to https://access.redhat.com/articles/2991951

Note You need to log in before you can comment on or make changes to this bug.

alee
bbaranow
bmaxwell
cdewolf
coolsvap
csutherl
dandread
darran.lofthouse
dosoudil
gzaronik
hhorak
ivan.afonichev
java-sig-commits
jawilson
jclere
jdoyle
jorton
jshepherd
krzysztof.daniel
lgao
mbabacek
miburman
mizdebsk
myarboro
pgier
psakar
pslavice
psotirop
rmaucher
rnetuka
rsvoboda
spinder
theute
twalsh
vtunka
weli
yozone