CVE-2017-6056 - It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat

CVE-2017-6056

Summary

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

References

Vulnerable Configurations

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:

CWE

CWE-835

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

redhat via4

advisories

rhsa
id RHSA-2017:0517
rhsa
id RHSA-2017:0826
rhsa
id RHSA-2017:0827
rhsa
id RHSA-2017:0828
rhsa
id RHSA-2017:0829

rpms

apache-cxf-0:2.7.18-6.SP5_redhat_1.1.ep6.el5
hornetq-0:2.3.25-19.SP17_redhat_1.1.ep6.el5
infinispan-0:5.2.21-1.Final_redhat_1.1.ep6.el5
infinispan-cachestore-jdbc-0:5.2.21-1.Final_redhat_1.1.ep6.el5
infinispan-cachestore-remote-0:5.2.21-1.Final_redhat_1.1.ep6.el5
infinispan-client-hotrod-0:5.2.21-1.Final_redhat_1.1.ep6.el5
infinispan-core-0:5.2.21-1.Final_redhat_1.1.ep6.el5
jboss-as-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-cli-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-client-all-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-clustering-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-cmp-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-connector-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-controller-client-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-core-security-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-deployment-repository-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-deployment-scanner-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-domain-http-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-domain-management-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-ee-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-ee-deployment-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-ejb3-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-embedded-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-host-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jacorb-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jaxr-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jaxrs-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jdr-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jpa-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jsf-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-jsr77-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-logging-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-mail-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-management-client-content-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-messaging-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-modcluster-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-naming-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-network-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-osgi-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-osgi-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-osgi-service-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-picketlink-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-platform-mbean-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-pojo-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-process-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-protocol-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-remoting-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-sar-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-security-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-server-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-system-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-threads-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-transactions-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-version-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-web-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-webservices-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-weld-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-as-xts-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jboss-modules-0:1.3.8-1.Final_redhat_1.1.ep6.el5
jboss-msc-0:1.1.7-1.SP1_redhat_1.1.ep6.el5
jboss-remoting3-0:3.3.9-1.Final_redhat_1.1.ep6.el5
jbossas-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-bundles-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-core-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-domain-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-javadocs-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-modules-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-product-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-standalone-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossas-welcome-content-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el5
jbossts-1:4.17.39-1.Final_redhat_1.1.ep6.el5
jbossweb-0:7.5.21-2.Final_redhat_2.1.ep6.el5
picketbox-0:4.1.4-1.Final_redhat_1.1.ep6.el5
resteasy-0:2.3.17-1.Final_redhat_1.1.ep6.el5
weld-core-0:1.1.34-1.Final_redhat_1.1.ep6.el5
apache-cxf-0:2.7.18-6.SP5_redhat_1.1.ep6.el6
hornetq-0:2.3.25-19.SP17_redhat_1.1.ep6.el6
infinispan-0:5.2.21-1.Final_redhat_1.1.ep6.el6
infinispan-cachestore-jdbc-0:5.2.21-1.Final_redhat_1.1.ep6.el6
infinispan-cachestore-remote-0:5.2.21-1.Final_redhat_1.1.ep6.el6
infinispan-client-hotrod-0:5.2.21-1.Final_redhat_1.1.ep6.el6
infinispan-core-0:5.2.21-1.Final_redhat_1.1.ep6.el6
jboss-as-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-cli-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-client-all-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-clustering-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-cmp-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-connector-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-controller-client-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-core-security-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-deployment-repository-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-deployment-scanner-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-domain-http-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-domain-management-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-ee-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-ee-deployment-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-ejb3-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-embedded-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-host-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jacorb-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jaxr-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jaxrs-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jdr-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jpa-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jsf-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-jsr77-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-logging-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-mail-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-management-client-content-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-messaging-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-modcluster-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-naming-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-network-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-osgi-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-osgi-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-osgi-service-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-picketlink-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-platform-mbean-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-pojo-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-process-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-protocol-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-remoting-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-sar-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-security-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-server-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-system-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-threads-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-transactions-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-version-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-web-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-webservices-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-weld-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-as-xts-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jboss-modules-0:1.3.8-1.Final_redhat_1.1.ep6.el6
jboss-msc-0:1.1.7-1.SP1_redhat_1.1.ep6.el6
jboss-remoting3-0:3.3.9-1.Final_redhat_1.1.ep6.el6
jbossas-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-bundles-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-core-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-domain-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-javadocs-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-modules-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-product-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-standalone-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossas-welcome-content-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el6
jbossts-1:4.17.39-1.Final_redhat_1.1.ep6.el6
jbossweb-0:7.5.21-2.Final_redhat_2.1.ep6.el6
picketbox-0:4.1.4-1.Final_redhat_1.1.ep6.el6
resteasy-0:2.3.17-1.Final_redhat_1.1.ep6.el6
weld-core-0:1.1.34-1.Final_redhat_1.1.ep6.el6
apache-cxf-0:2.7.18-6.SP5_redhat_1.1.ep6.el7
hornetq-0:2.3.25-19.SP17_redhat_1.1.ep6.el7
infinispan-0:5.2.21-1.Final_redhat_1.1.ep6.el7
infinispan-cachestore-jdbc-0:5.2.21-1.Final_redhat_1.1.ep6.el7
infinispan-cachestore-remote-0:5.2.21-1.Final_redhat_1.1.ep6.el7
infinispan-client-hotrod-0:5.2.21-1.Final_redhat_1.1.ep6.el7
infinispan-core-0:5.2.21-1.Final_redhat_1.1.ep6.el7
jboss-as-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-cli-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-client-all-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-clustering-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-cmp-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-connector-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-controller-client-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-core-security-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-deployment-repository-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-deployment-scanner-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-domain-http-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-domain-management-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-ee-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-ee-deployment-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-ejb3-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-embedded-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-host-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jacorb-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jaxr-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jaxrs-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jdr-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jpa-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jsf-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-jsr77-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-logging-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-mail-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-management-client-content-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-messaging-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-modcluster-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-naming-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-network-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-osgi-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-osgi-configadmin-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-osgi-service-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-picketlink-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-platform-mbean-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-pojo-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-process-controller-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-protocol-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-remoting-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-sar-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-security-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-server-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-system-jmx-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-threads-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-transactions-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-version-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-web-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-webservices-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-weld-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-as-xts-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jboss-modules-0:1.3.8-1.Final_redhat_1.1.ep6.el7
jboss-msc-0:1.1.7-1.SP1_redhat_1.1.ep6.el7
jboss-remoting3-0:3.3.9-1.Final_redhat_1.1.ep6.el7
jbossas-appclient-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-bundles-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-core-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-domain-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-javadocs-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-modules-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-product-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-standalone-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossas-welcome-content-eap-0:7.5.14-2.Final_redhat_2.1.ep6.el7
jbossts-1:4.17.39-1.Final_redhat_1.1.ep6.el7
jbossweb-0:7.5.21-2.Final_redhat_2.1.ep6.el7
picketbox-0:4.1.4-1.Final_redhat_1.1.ep6.el7
resteasy-0:2.3.17-1.Final_redhat_1.1.ep6.el7
weld-core-0:1.1.34-1.Final_redhat_1.1.ep6.el7
jboss-ec2-eap-0:7.5.14-2.Final_redhat_2.ep6.el6
jboss-ec2-eap-samples-0:7.5.14-2.Final_redhat_2.ep6.el6

refmap via4

bid	96293
confirm	https://bugs.debian.org/851304 https://bz.apache.org/bugzilla/show_bug.cgi?id=60578 https://lists.debian.org/debian-security-announce/2017/msg00038.html https://lists.debian.org/debian-security-announce/2017/msg00039.html https://security.netapp.com/advisory/ntap-20180731-0002/
debian	DSA-3787 DSA-3788
misc	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
mlist	[activemq-issues] 20190723 [jira] [Created] (AMQ-7249) Security Vulnerabilities in the ActiveMQ dependent jars. [activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar
sectrack	1037860

Last major update

03-10-2019 - 00:03

Published

17-02-2017 - 07:59

Last modified

03-10-2019 - 00:03