CVE-2017-5647
A vulnerability was discovered in Tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure.
Find out more about CVE-2017-5647 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2017:2493 | 2017-08-21 |
| Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2017:3080 | 2017-10-30 |
| Red Hat Enterprise Linux 7 (tomcat) | RHSA-2017:3081 | 2017-10-30 |
| Red Hat JBoss Web Server 3.1 | RHSA-2017:1802 | 2017-07-25 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server | RHSA-2017:2493 | 2017-08-21 |
| Red Hat JBoss Web Server 3.1 for RHEL 6 | RHSA-2017:1801 | 2017-07-25 |
| Red Hat JBoss Web Server 3.1 for RHEL 7 | RHSA-2017:1801 | 2017-07-25 |
| Red Hat JBoss Web Server 2.1 | RHSA-2017:2494 | 2017-08-21 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-tomcat | Not affected |
| Red Hat JBoss Web Server 3.0 | tomcat7 | Affected |
| Red Hat JBoss Web Server 3.0 | tomcat8 | Affected |
| Red Hat JBoss Portal Platform 6 | jbossweb | Not affected |
| Red Hat JBoss Operations Network 3 | jbossweb | Not affected |
| Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
| Red Hat JBoss Fuse 6 | karaf | Not affected |
| Red Hat JBoss Fuse 6 | jbossweb | Under investigation |
| Red Hat JBoss Enterprise SOA Platform 5 | jbossweb | Will not fix |
| Red Hat JBoss EAP 6 | jbossweb | Not affected |
| Red Hat JBoss EAP 5 | jbossweb | Not affected |
| Red Hat JBoss Data Virtualization 6 | jbossweb | Not affected |
| Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
| Red Hat JBoss BRMS 5 | jbossweb | Will not fix |
| Red Hat Enterprise Linux 5 | tomcat5 | Not affected |
Mitigation
The AJP connector does not support the sendfile capability. A server configured to only use the AJP connector (disable HTTP Connector) is not affected by this vulnerability.
Disable the sendfile capability by setting useSendfile="false" in the HTTP connector configuration. Note: Disabling sendfile, may impact performance on large files.