// For flags

CVE-2017-6056

tomcat: Infinite loop in the processing of https requests

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Se descubrió que un error de programación en el procesamiento de solicitudes HTTPS en el servlet Apache Tomcat y en el motor JSP puede dar como resultado la denegación de servicio a través de un bucle infinito. La denegación de servicio es fácilmente alcanzable como consecuencia de backporting una corrección CVE-2016-6816 pero no backporting la corrección para el error 57544 de Tomcat. Las distribuciones afectadas por este problema de backporting incluyen Debian (en versiones anteriores a 7.0.56-3+deb8u8 y 8.0.14-1+deb8u7 en jessie) y Ubuntu.

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-02-16 CVE Reserved
  • 2017-02-17 CVE Published
  • 2024-01-21 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CAPEC
References (20)
URL Tag Source
http://www.securityfocus.com/bid/96293 Third Party Advisory
http://www.securitytracker.com/id/1037860 Third Party Advisory
https://bugs.debian.org/851304 Issue Tracking
https://bz.apache.org/bugzilla/show_bug.cgi?id=60578 Issue Tracking
https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E Mailing List
https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E Mailing List
https://lists.debian.org/debian-security-announce/2017/msg00038.html Third Party Advisory
https://lists.debian.org/debian-security-announce/2017/msg00039.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20180731-0002 Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html X_refsource_misc
URL Date SRC
URL Date SRC
URL Date SRC
http://rhn.redhat.com/errata/RHSA-2017-0517.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0826.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0827.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0828.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-0829.html 2023-11-07
http://www.debian.org/security/2017/dsa-3787 2023-11-07
http://www.debian.org/security/2017/dsa-3788 2023-11-07
https://access.redhat.com/security/cve/CVE-2017-6056 2017-03-22
https://bugzilla.redhat.com/show_bug.cgi?id=1422148 2017-03-22
https://access.redhat.com/articles/2991951 2017-03-22
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected