ID CVE-2017-5651
Summary In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 8.5.0
    cpe:2.3:a:apache:tomcat:8.5.0
  • Apache Software Foundation Tomcat 8.5.1
    cpe:2.3:a:apache:tomcat:8.5.1
  • Apache Software Foundation Tomcat 8.5.2
    cpe:2.3:a:apache:tomcat:8.5.2
  • Apache Software Foundation Tomcat 8.5.3
    cpe:2.3:a:apache:tomcat:8.5.3
  • Apache Software Foundation Tomcat 8.5.4
    cpe:2.3:a:apache:tomcat:8.5.4
  • Apache Software Foundation Tomcat 8.5.5
    cpe:2.3:a:apache:tomcat:8.5.5
  • Apache Software Foundation Tomcat 8.5.6
    cpe:2.3:a:apache:tomcat:8.5.6
  • Apache Software Foundation Tomcat 8.5.7
    cpe:2.3:a:apache:tomcat:8.5.7
  • Apache Software Foundation Tomcat 8.5.8
    cpe:2.3:a:apache:tomcat:8.5.8
  • Apache Software Foundation Tomcat 8.5.9
    cpe:2.3:a:apache:tomcat:8.5.9
  • Apache Software Foundation Tomcat 8.5.10
    cpe:2.3:a:apache:tomcat:8.5.10
  • Apache Software Foundation Tomcat 8.5.11
    cpe:2.3:a:apache:tomcat:8.5.11
  • Apache Software Foundation Tomcat 8.5.12
    cpe:2.3:a:apache:tomcat:8.5.12
  • Apache Software Foundation Tomcat 9.0.0 M1
    cpe:2.3:a:apache:tomcat:9.0.0:m1
  • Apache Software Foundation Tomcat 9.0.0 M10
    cpe:2.3:a:apache:tomcat:9.0.0:m10
  • Apache Software Foundation Tomcat 9.0.0 M11
    cpe:2.3:a:apache:tomcat:9.0.0:m11
  • Apache Software Foundation Tomcat 9.0.0 M12
    cpe:2.3:a:apache:tomcat:9.0.0:m12
  • Apache Software Foundation Tomcat 9.0.0 M13
    cpe:2.3:a:apache:tomcat:9.0.0:m13
  • Apache Software Foundation Tomcat 9.0.0 M14
    cpe:2.3:a:apache:tomcat:9.0.0:m14
  • Apache Software Foundation Tomcat 9.0.0 M15
    cpe:2.3:a:apache:tomcat:9.0.0:m15
  • Apache Software Foundation Tomcat 9.0.0 M16
    cpe:2.3:a:apache:tomcat:9.0.0:m16
  • Apache Software Foundation Tomcat 9.0.0 M17
    cpe:2.3:a:apache:tomcat:9.0.0:m17
  • Apache Software Foundation Tomcat 9.0.0 M18
    cpe:2.3:a:apache:tomcat:9.0.0:m18
  • Apache Software Foundation Tomcat 9.0.0 M2
    cpe:2.3:a:apache:tomcat:9.0.0:m2
  • Apache Software Foundation Tomcat 9.0.0 M3
    cpe:2.3:a:apache:tomcat:9.0.0:m3
  • Apache Software Foundation Tomcat 9.0.0 M4
    cpe:2.3:a:apache:tomcat:9.0.0:m4
  • Apache Software Foundation Tomcat 9.0.0 M5
    cpe:2.3:a:apache:tomcat:9.0.0:m5
  • Apache Software Foundation Tomcat 9.0.0 M6
    cpe:2.3:a:apache:tomcat:9.0.0:m6
  • Apache Software Foundation Tomcat 9.0.0 M7
    cpe:2.3:a:apache:tomcat:9.0.0:m7
  • Apache Software Foundation Tomcat 9.0.0 M8
    cpe:2.3:a:apache:tomcat:9.0.0:m8
  • Apache Software Foundation Tomcat 9.0.0 M9
    cpe:2.3:a:apache:tomcat:9.0.0:m9
CVSS
Base: 7.5 (as of 21-04-2017 - 08:23)
Impact:
Exploitability:
CWE CWE-19
CAPEC
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-D5AA7C77D6.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-02
    plugin id 99720
    published 2017-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99720
    title Fedora 24 : 1:tomcat (2017-d5aa7c77d6)
  • NASL family CGI abuses
    NASL id MYSQL_ENTERPRISE_MONITOR_3_3_4_3247.NASL
    description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.8.2223 or 3.3.x prior to 3.3.4.3247. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Apache Tomcat component in the handling of pipelined requests when send file processing is used that results in the pipelined request being lost when processing of the previous request has completed, causing responses to be sent for the wrong request. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5647) - A flaw exists in the Apache Tomcat component in HTTP connectors when processing send files. If processing completed quickly, it was possible to add the processor to the processor cache twice, which allows the same processor to be used for multiple requests. An unauthenticated, remote attacker can exploit this to disclose sensitive information from other sessions or cause unexpected errors. (CVE-2017-5651)
    last seen 2019-02-21
    modified 2018-06-14
    plugin id 101895
    published 2017-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101895
    title MySQL Enterprise Monitor 3.2.x < 3.2.8.2223 / 3.3.x < 3.3.4.3247 Multiple Vulnerabilities (July 2017 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-5261BA4605.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 99718
    published 2017-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99718
    title Fedora 25 : 1:tomcat (2017-5261ba4605)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201705-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat’s system user or belongs to tomcat’s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 100262
    published 2017-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100262
    title GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities
  • NASL family Web Servers
    NASL id TOMCAT_8_5_13.NASL
    description According to its self-reported version number, the Apache Tomcat service running on the remote host is 8.5.x prior to 8.5.13 or 9.0.x prior to 9.0.0.M19. It is therefore affected by multiple vulnerabilities : - A flaw exists in the handling of pipelined requests when send file processing is used that results in the pipelined request being lost when processing of the previous request has completed, causing responses to be sent for the wrong request. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5647) - A flaw exists in the handling of HTTP/2 GOAWAY frames for a connection due to streams associated with the connection not being properly closed if the connection was currently waiting for a WINDOW_UPDATE before allowing the application to write more data. Each stream consumes a processing thread in the system. An unauthenticated, remote attacker can exploit this issue, via a series of specially crafted HTTP/2 requests, to consume all available threads, resulting in a denial of service condition. (CVE-2017-5650) - A flaw exists in HTTP connectors when processing send files. If processing completed quickly, it was possible to add the processor to the processor cache twice, which allows the same processor to be used for multiple requests. An unauthenticated, remote attacker can exploit this to disclose sensitive information from other sessions or cause unexpected errors. (CVE-2017-5651) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-11
    plugin id 99368
    published 2017-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99368
    title Apache Tomcat 8.5.x < 8.5.13 / 9.0.x < 9.0.0.M19 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0E64C4C186.NASL
    description This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 101573
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101573
    title Fedora 26 : 1:tomcat (2017-0e64c4c186)
refmap via4
bid 97544
confirm
gentoo GLSA-201705-09
mlist
  • [tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [users] 20170410 [SECURITY] CVE-2017-5651 Apache Tomcat Information Disclosure
sectrack 1038219
Last major update 21-04-2017 - 11:04
Published 17-04-2017 - 12:59
Last modified 15-04-2019 - 12:31
Back to Top