Bug 1441205 (CVE-2017-5647) - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
Summary: CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file...
Status: CLOSED ERRATA
Alias: CVE-2017-5647
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170410,repo...
Keywords: Security
Depends On: 1441241 1441242 1441243 1441478 1441479 1441480 1441481 1441483 1441484 1470596 1470597
Blocks: 1441210 1446025 1446026 1479475 1482229
TreeView+ depends on / blocked
 
Reported: 2017-04-11 12:35 UTC by Adam Mariš
Modified: 2019-06-11 11:13 UTC (History)
66 users (show)

(edit)
A vulnerability was discovered in Tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:10:13 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1801 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update 2017-07-25 20:44:35 UTC
Red Hat Product Errata RHSA-2017:1802 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server Service Pack 1 security update 2017-07-25 21:46:13 UTC
Red Hat Product Errata RHSA-2017:2493 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:33:48 UTC
Red Hat Product Errata RHSA-2017:2494 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2 security update 2017-08-21 19:22:58 UTC
Red Hat Product Errata RHSA-2017:3080 normal SHIPPED_LIVE Important: tomcat6 security update 2017-10-30 04:15:02 UTC
Red Hat Product Errata RHSA-2017:3081 normal SHIPPED_LIVE Important: tomcat security update 2017-10-30 04:26:54 UTC

Description Adam Mariš 2017-04-11 12:35:09 UTC
A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Affected versions: 6.0.0 to 6.0.52, 7.0.0 to 7.0.76, 8.0.0.RC1 to 8.0.42, 8.5.0 to 8.5.12

Upstream fixes:

Tomcat 6.x:
https://svn.apache.org/viewvc?view=revision&revision=1789024
https://svn.apache.org/viewvc?view=revision&revision=1789155
https://svn.apache.org/viewvc?view=revision&revision=1789856

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1789008

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1788999

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1788932

References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.53
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.43
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.13

Comment 1 Adam Mariš 2017-04-11 13:31:43 UTC
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1441243]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1441241]
Affects: fedora-all [bug 1441242]

Comment 11 Timothy Walsh 2017-05-12 10:41:09 UTC
Mitigation:

The AJP connector does not support the sendfile capability.  A server configured to only use the AJP connector (disable HTTP Connector) is not affected by this vulnerability.

Disable the sendfile capability by setting useSendfile="false" in the HTTP connector configuration.  Note: Disabling sendfile, may impact performance on large files.

Comment 17 errata-xmlrpc 2017-07-25 16:45:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801

Comment 18 errata-xmlrpc 2017-07-25 17:46:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802

Comment 19 errata-xmlrpc 2017-08-21 15:26:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2

Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494

Comment 20 errata-xmlrpc 2017-08-21 15:35:01 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493

Comment 21 errata-xmlrpc 2017-10-30 00:16:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 22 errata-xmlrpc 2017-10-30 00:28:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081


Note You need to log in before you can comment on or make changes to this bug.