Vulnerability Description
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Ubuntu Linux | 12.04 |
| Debian | Debian Linux | 8.0 |
Related Weaknesses (CWE)
References
- http://rhn.redhat.com/errata/RHSA-2017-0517.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0826.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0827.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0828.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0829.htmlThird Party Advisory
- http://www.debian.org/security/2017/dsa-3787Third Party Advisory
- http://www.debian.org/security/2017/dsa-3788Third Party Advisory
- http://www.securityfocus.com/bid/96293Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1037860Third Party AdvisoryVDB Entry
- https://bugs.debian.org/851304Issue TrackingThird Party Advisory
- https://bz.apache.org/bugzilla/show_bug.cgi?id=60578Issue TrackingThird Party Advisory
- https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb
- https://lists.debian.org/debian-security-announce/2017/msg00038.htmlThird Party Advisory
- https://lists.debian.org/debian-security-announce/2017/msg00039.htmlThird Party Advisory
FAQ
What is CVE-2017-6056?
CVE-2017-6056 is a vulnerability with a CVSS score of 7.5 (HIGH). It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service i...
How severe is CVE-2017-6056?
CVE-2017-6056 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-6056?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Ubuntu Linux, Debian Debian Linux.