Vulnerability Details : CVE-2017-6056
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Vulnerability category: Denial of service
Products affected by CVE-2017-6056
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-6056
1.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-6056
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-6056
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-6056
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | Oracle
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
60578 – Server CPU maxed out (100% per core) randomly after a few hoursIssue Tracking;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0517.html
RHSA-2017:0517 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/96293
Apache Tomcat 'http11/AbstractInputBuffer.java' Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://bugs.debian.org/851304
#851304 - tomcat8 use 100% cpu time - Debian Bug report logsIssue Tracking;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0829.html
RHSA-2017:0829 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0826.html
RHSA-2017:0826 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.debian.org/security/2017/dsa-3788
Debian -- Security Information -- DSA-3788-1 tomcat8Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0828.html
RHSA-2017:0828 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-security-announce/2017/msg00038.html
[SECURITY] [DSA 3787-1] tomcat7 security updateThird Party Advisory
-
http://www.securitytracker.com/id/1037860
Apache Tomcat HTTPS Request Processing Bug Lets Remote Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E
[jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar - Pony Mail
-
http://www.debian.org/security/2017/dsa-3787
Debian -- Security Information -- DSA-3787-1 tomcat7Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20180731-0002/
November 2017 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2017-0827.html
RHSA-2017:0827 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E
Pony Mail!
-
https://lists.debian.org/debian-security-announce/2017/msg00039.html
[SECURITY] [DSA 3788-1] tomcat8 security updateThird Party Advisory
Jump to