CVE-2017-6056

high

Description

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

References

https://security.netapp.com/advisory/ntap-20180731-0002/

https://lists.debian.org/debian-security-announce/2017/msg00039.html

https://lists.debian.org/debian-security-announce/2017/msg00038.html

https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

https://bugs.debian.org/851304

http://www.securitytracker.com/id/1037860

http://www.securityfocus.com/bid/96293

http://www.debian.org/security/2017/dsa-3788

http://www.debian.org/security/2017/dsa-3787

http://rhn.redhat.com/errata/RHSA-2017-0829.html

http://rhn.redhat.com/errata/RHSA-2017-0828.html

http://rhn.redhat.com/errata/RHSA-2017-0827.html

http://rhn.redhat.com/errata/RHSA-2017-0826.html

http://rhn.redhat.com/errata/RHSA-2017-0517.html

https://www.tenable.com/blog/oracle-critical-patch-update-for-october-contains-180-fixes

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

Details

Source: Mitre, NVD

Published: 2017-02-17

Updated: 2025-04-20

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.1505