Description

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0517.html

http://rhn.redhat.com/errata/RHSA-2017-0826.html

http://rhn.redhat.com/errata/RHSA-2017-0827.html

http://rhn.redhat.com/errata/RHSA-2017-0828.html

http://rhn.redhat.com/errata/RHSA-2017-0829.html

http://www.debian.org/security/2017/dsa-3787

http://www.debian.org/security/2017/dsa-3788

http://www.securityfocus.com/bid/96293

http://www.securitytracker.com/id/1037860

https://bugs.debian.org/851304

https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E

https://lists.debian.org/debian-security-announce/2017/msg00038.html

https://lists.debian.org/debian-security-announce/2017/msg00039.html

https://security.netapp.com/advisory/ntap-20180731-0002/

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Related Vulnerabilities

CVE-2018-8012 Vulnerability in maven package org.apache.zookeeper:zookeeper

CVE-2013-2165 Vulnerability in maven package org.richfaces:richfaces

CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-base

CVE-2016-10655 Vulnerability in npm package clang-extra

CVE-2022-29167 Vulnerability in npm package hawk

Severity

High

Classification

CWE-835 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory VDB Entry Issue Tracking