Description

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2017-0517.html

http://rhn.redhat.com/errata/RHSA-2017-0826.html

http://rhn.redhat.com/errata/RHSA-2017-0827.html

http://rhn.redhat.com/errata/RHSA-2017-0828.html

http://rhn.redhat.com/errata/RHSA-2017-0829.html

http://www.debian.org/security/2017/dsa-3787

http://www.debian.org/security/2017/dsa-3788

http://www.securityfocus.com/bid/96293

http://www.securitytracker.com/id/1037860

https://bugs.debian.org/851304

https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E

https://lists.debian.org/debian-security-announce/2017/msg00038.html

https://lists.debian.org/debian-security-announce/2017/msg00039.html

https://security.netapp.com/advisory/ntap-20180731-0002/

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Related Vulnerabilities

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.10

CVE-2020-35774 Vulnerability in maven package com.twitter:twitter-server

CVE-2019-14862 Vulnerability in maven package li.rudin.mavenjs:knockout

CVE-2018-1305 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2016-0706 Vulnerability in maven package org.apache.tomcat:catalina

Severity

High

Classification

CWE-835 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory VDB Entry Issue Tracking