Bug 1422148 (CVE-2017-6056) - CVE-2017-6056 tomcat: Infinite loop in the processing of https requests
Summary: CVE-2017-6056 tomcat: Infinite loop in the processing of https requests
Keywords:
Status: NEW
Alias: CVE-2017-6056
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150206,repo...
Depends On: 1423440 1423452 1423453 1430252
Blocks: 1422150 1428993
TreeView+ depends on / blocked
 
Reported: 2017-02-14 15:24 UTC by Andrej Nemec
Modified: 2019-06-08 21:48 UTC (History)
37 users (show)

Fixed In Version: tomcat 8.0.19, tomcat 7.0.60, tomcat 6.0.44
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0517 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-05-03 01:58:28 UTC
Red Hat Product Errata RHSA-2017:0826 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5 2017-03-22 20:46:23 UTC
Red Hat Product Errata RHSA-2017:0827 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6 2017-03-22 20:43:37 UTC
Red Hat Product Errata RHSA-2017:0828 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7 2017-03-22 20:40:43 UTC
Red Hat Product Errata RHSA-2017:0829 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2017-03-22 21:11:17 UTC

Description Andrej Nemec 2017-02-14 15:24:57 UTC
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

Upstream patch:

https://github.com/apache/tomcat80/commit/614e7f78aecc429d8740bb59900c2f9fbc86a788#diff-2aeb244142da5fcb78a54e23f717fcd2

Upstream bug:

https://bz.apache.org/bugzilla/show_bug.cgi?id=57544

Comment 8 Andrej Nemec 2017-03-01 15:16:13 UTC
External References:

http://tomcat.apache.org/security-7.html
https://access.redhat.com/articles/2991951

Comment 9 errata-xmlrpc 2017-03-14 17:33:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.14 

Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html

Comment 11 errata-xmlrpc 2017-03-22 16:50:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html

Comment 12 errata-xmlrpc 2017-03-22 16:51:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html

Comment 13 errata-xmlrpc 2017-03-22 16:52:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html

Comment 14 errata-xmlrpc 2017-03-22 17:12:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html

Comment 19 Timothy Walsh 2017-04-11 00:10:51 UTC
Statement:

This issue was made easier to exploit, causing a denial of service when the patch for CVE-2016-6816 was present and the patch that corrected this flaw was not.  The issue was not classified as a security flaw upstream.  It was corrected in products like Red Hat Enterprise Linux 6 and 7 and JBoss Enterprise Web Server 3 prior to the fix for CVE-2016-6816 being applied.  This was not the case for JBoss Enterprise Application Server 6.  As a result, only EAP 6.4.13 is vulnerable to this issue and 6.4.14 corrects it.  For further information, refer to https://access.redhat.com/articles/2991951


Note You need to log in before you can comment on or make changes to this bug.