Tomcat potential Denial of Service CVE-2017-6056

Updated -

Overview

The CVE-2017-6056 was assigned to a denial of service flaw in Tomcat, which could cause it to enter an infinite loop when processing incoming HTTP requests. The issue was originally reported in 2015 via the Apache Tomcat project bugzilla as bug 57544 and was corrected in upstream Tomcat versions 8.0.19, 7.0.60, and 6.0.44. At the time of the report, there was no known way to trigger the problem other than through potential bugs in applications deployed on Tomcat. At the time, because of this, the issue was not considered a security vulnerability. Further details can be found on the upstream security page.

However, the fix for the request smuggling vulnerability CVE-2016-6816, when applied to older Tomcat versions that did not include the fix for the upstream bug 57544, caused the infinite loop to be easily triggered. Therefore, CVE-2017-6056 was assigned in 2017 and is applicable to Tomcat versions with the CVE-2016-6816 fix applied and without the fix for upstream bug 57544.

Environment

Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
JBoss Enterprise Web Server 3.0.3
JBoss Enterprise Application Server 6.4.12

Resolution

Red Hat Enterprise Linux 6

The fix for CVE-2016-6816 was applied in RHSA-2017:0527. The same erratum also added the fix for CVE-2017-6056 (upstream bug 57544). Therefore, no versions of the tomcat6 packages in Red Hat Enterprise Linux 6 are known to be vulnerable to CVE-2017-6056.

Red Hat Enterprise Linux 7

The tomcat packages in Red Hat Enterprise Linux 7 were updated to upstream version 7.0.69 via RHSA-2016:2599, released as part of Red Hat Enterprise Linux 7.3, and therefore they include the fix for the upstream bug 57544 as of that erratum. Future errata released to address the CVE-2016-6816 request smuggling issue will not introduce the CVE-2017-6056 infinite loop issue.

JBoss Enterprise Web Server 3

A patch for CVE-2016-6816 was introduced only in JBoss Enterprise Web Server 3.1.
A patch for CVE-2017-6056 was applied in the following errata for JBoss Enterprise Web Server 3.0.3.

JBoss Enterprise Application Server 6

The fix for CVE-2016-6816 was introduced in EAP 6.4.13 which means that CVE-2017-6056 only affected EAP 6.4.13.
The fix for CVE-2017-6056 was applied in the following Errata for JBoss Enterprise Application Server 6.4.14.

Comments