ID CVE-2017-5650
Summary In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 8.5.0
    cpe:2.3:a:apache:tomcat:8.5.0
  • Apache Software Foundation Tomcat 8.5.1
    cpe:2.3:a:apache:tomcat:8.5.1
  • Apache Software Foundation Tomcat 8.5.2
    cpe:2.3:a:apache:tomcat:8.5.2
  • Apache Software Foundation Tomcat 8.5.3
    cpe:2.3:a:apache:tomcat:8.5.3
  • Apache Software Foundation Tomcat 8.5.4
    cpe:2.3:a:apache:tomcat:8.5.4
  • Apache Software Foundation Tomcat 8.5.5
    cpe:2.3:a:apache:tomcat:8.5.5
  • Apache Software Foundation Tomcat 8.5.6
    cpe:2.3:a:apache:tomcat:8.5.6
  • Apache Software Foundation Tomcat 8.5.7
    cpe:2.3:a:apache:tomcat:8.5.7
  • Apache Software Foundation Tomcat 8.5.8
    cpe:2.3:a:apache:tomcat:8.5.8
  • Apache Software Foundation Tomcat 8.5.9
    cpe:2.3:a:apache:tomcat:8.5.9
  • Apache Software Foundation Tomcat 8.5.10
    cpe:2.3:a:apache:tomcat:8.5.10
  • Apache Software Foundation Tomcat 8.5.11
    cpe:2.3:a:apache:tomcat:8.5.11
  • Apache Software Foundation Tomcat 8.5.12
    cpe:2.3:a:apache:tomcat:8.5.12
  • Apache Software Foundation Tomcat 9.0.0 M1
    cpe:2.3:a:apache:tomcat:9.0.0:m1
  • Apache Software Foundation Tomcat 9.0.0 M10
    cpe:2.3:a:apache:tomcat:9.0.0:m10
  • Apache Software Foundation Tomcat 9.0.0 M11
    cpe:2.3:a:apache:tomcat:9.0.0:m11
  • Apache Software Foundation Tomcat 9.0.0 M12
    cpe:2.3:a:apache:tomcat:9.0.0:m12
  • Apache Software Foundation Tomcat 9.0.0 M13
    cpe:2.3:a:apache:tomcat:9.0.0:m13
  • Apache Software Foundation Tomcat 9.0.0 M14
    cpe:2.3:a:apache:tomcat:9.0.0:m14
  • Apache Software Foundation Tomcat 9.0.0 M15
    cpe:2.3:a:apache:tomcat:9.0.0:m15
  • Apache Software Foundation Tomcat 9.0.0 M16
    cpe:2.3:a:apache:tomcat:9.0.0:m16
  • Apache Software Foundation Tomcat 9.0.0 M17
    cpe:2.3:a:apache:tomcat:9.0.0:m17
  • Apache Software Foundation Tomcat 9.0.0 M18
    cpe:2.3:a:apache:tomcat:9.0.0:m18
  • Apache Software Foundation Tomcat 9.0.0 M2
    cpe:2.3:a:apache:tomcat:9.0.0:m2
  • Apache Software Foundation Tomcat 9.0.0 M3
    cpe:2.3:a:apache:tomcat:9.0.0:m3
  • Apache Software Foundation Tomcat 9.0.0 M4
    cpe:2.3:a:apache:tomcat:9.0.0:m4
  • Apache Software Foundation Tomcat 9.0.0 M5
    cpe:2.3:a:apache:tomcat:9.0.0:m5
  • Apache Software Foundation Tomcat 9.0.0 M6
    cpe:2.3:a:apache:tomcat:9.0.0:m6
  • Apache Software Foundation Tomcat 9.0.0 M7
    cpe:2.3:a:apache:tomcat:9.0.0:m7
  • Apache Software Foundation Tomcat 9.0.0 M8
    cpe:2.3:a:apache:tomcat:9.0.0:m8
  • Apache Software Foundation Tomcat 9.0.0 M9
    cpe:2.3:a:apache:tomcat:9.0.0:m9
CVSS
Base: 5.0 (as of 21-04-2017 - 08:21)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-5261BA4605.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-02-01
    plugin id 99718
    published 2017-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99718
    title Fedora 25 : 1:tomcat (2017-5261ba4605)
  • NASL family Web Servers
    NASL id TOMCAT_8_5_13.NASL
    description According to its self-reported version number, the Apache Tomcat service running on the remote host is 8.5.x prior to 8.5.13 or 9.0.x prior to 9.0.0.M19. It is therefore affected by multiple vulnerabilities : - A flaw exists in the handling of pipelined requests when send file processing is used that results in the pipelined request being lost when processing of the previous request has completed, causing responses to be sent for the wrong request. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5647) - A flaw exists in the handling of HTTP/2 GOAWAY frames for a connection due to streams associated with the connection not being properly closed if the connection was currently waiting for a WINDOW_UPDATE before allowing the application to write more data. Each stream consumes a processing thread in the system. An unauthenticated, remote attacker can exploit this issue, via a series of specially crafted HTTP/2 requests, to consume all available threads, resulting in a denial of service condition. (CVE-2017-5650) - A flaw exists in HTTP connectors when processing send files. If processing completed quickly, it was possible to add the processor to the processor cache twice, which allows the same processor to be used for multiple requests. An unauthenticated, remote attacker can exploit this to disclose sensitive information from other sessions or cause unexpected errors. (CVE-2017-5651) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-01-16
    modified 2019-01-11
    plugin id 99368
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99368
    title Apache Tomcat 8.5.x < 8.5.13 / 9.0.x < 9.0.0.M19 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-D5AA7C77D6.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-02-02
    plugin id 99720
    published 2017-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99720
    title Fedora 24 : 1:tomcat (2017-d5aa7c77d6)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201705-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat’s system user or belongs to tomcat’s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2018-01-26
    plugin id 100262
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100262
    title GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0E64C4C186.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-02-01
    plugin id 101573
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101573
    title Fedora 26 : 1:tomcat (2017-0e64c4c186)
refmap via4
bid 97531
confirm
gentoo GLSA-201705-09
mlist [users] 20170410 [SECURITY] CVE-2017-5650 Apache Tomcat Denial of Service
sectrack 1038217
Last major update 21-04-2017 - 10:39
Published 17-04-2017 - 12:59
Last modified 15-06-2018 - 21:29
Back to Top