Description

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Remediation

References

https://lists.debian.org/debian-security-announce/2017/msg00039.html

https://lists.debian.org/debian-security-announce/2017/msg00038.html

https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

https://bugs.debian.org/851304

http://www.securityfocus.com/bid/96293

http://www.securitytracker.com/id/1037860

http://www.debian.org/security/2017/dsa-3788

http://www.debian.org/security/2017/dsa-3787

http://rhn.redhat.com/errata/RHSA-2017-0829.html

http://rhn.redhat.com/errata/RHSA-2017-0828.html

http://rhn.redhat.com/errata/RHSA-2017-0827.html

http://rhn.redhat.com/errata/RHSA-2017-0826.html

http://rhn.redhat.com/errata/RHSA-2017-0517.html

https://security.netapp.com/advisory/ntap-20180731-0002/

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

Related Vulnerabilities

CVE-2021-29446 Vulnerability in npm package jose-node-cjs-runtime

CVE-2021-23664 Vulnerability in npm package @isomorphic-git/cors-proxy

CVE-2021-32659 Vulnerability in npm package matrix-appservice-bridge

CVE-2020-6831 Vulnerability in maven package org.webjars.npm:electron

CVE-2022-25842 Vulnerability in maven package com.alibaba.oneagent:one-java-agent-plugin

Severity

High

Classification

CWE-835 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory Issue Tracking VDB Entry