CVE-2017-5650

Impact:
Important
Public Date:
2017-04-10
Bugzilla:
1441230: CVE-2017-5650 tomcat: Handling of HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection

The MITRE CVE dictionary describes this issue as:

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Find out more about CVE-2017-5650 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat JBoss Web Server 3 tomcat7 Not affected
Red Hat JBoss Web Server 3 tomcat8 Not affected
Red Hat JBoss Portal Platform 6 jbossweb Not affected
Red Hat JBoss Operations Network 3 jbossweb Not affected
Red Hat JBoss Fuse Service Works 6 jbossweb Not affected
Red Hat JBoss Fuse 6 karaf Not affected
Red Hat JBoss Fuse 6 jbossweb Not affected
Red Hat JBoss Enterprise SOA Platform 5 jbossweb Not affected
Red Hat JBoss EWS 2 tomcat7 Not affected
Red Hat JBoss EWS 2 tomcat6 Not affected
Red Hat JBoss EAP 6 tomcat7 Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 jbossweb Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat JBoss BRMS 5 jbossweb Not affected
Red Hat Enterprise Linux 7 tomcat Not affected
Red Hat Enterprise Linux 6 tomcat6 Not affected
Red Hat Enterprise Linux 5 tomcat5 Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.