A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. Affected versions: 6.0.0 to 6.0.52, 7.0.0 to 7.0.76, 8.0.0.RC1 to 8.0.42, 8.5.0 to 8.5.12 Upstream fixes: Tomcat 6.x: https://svn.apache.org/viewvc?view=revision&revision=1789024 https://svn.apache.org/viewvc?view=revision&revision=1789155 https://svn.apache.org/viewvc?view=revision&revision=1789856 Tomcat 7.x: https://svn.apache.org/viewvc?view=revision&revision=1789008 Tomcat 8.0.x: https://svn.apache.org/viewvc?view=revision&revision=1788999 Tomcat 8.5.x: https://svn.apache.org/viewvc?view=revision&revision=1788932 References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.53 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.77 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.43 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.13
Created jbossweb tracking bugs for this issue: Affects: openshift-1 [bug 1441243] Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1441241] Affects: fedora-all [bug 1441242]
Mitigation: The AJP connector does not support the sendfile capability. A server configured to only use the AJP connector (disable HTTP Connector) is not affected by this vulnerability. Disable the sendfile capability by setting useSendfile="false" in the HTTP connector configuration. Note: Disabling sendfile, may impact performance on large files.
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.1 Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081