CVE-2017-6056

moderate-risk

Published 2017-02-17

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

Do I need to act?

15.9% chance of exploitation in next 30 days

EPSS score — higher than 84% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (3)

Ubuntu Linux

Debian Linux

Affected Vendors

Canonical Debian

References (34)

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0517.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0826.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0827.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0828.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0829.html

Third Party Advisory http://www.debian.org/security/2017/dsa-3787

Third Party Advisory http://www.debian.org/security/2017/dsa-3788

Third Party Advisory http://www.securityfocus.com/bid/96293

Third Party Advisory http://www.securitytracker.com/id/1037860

Issue Tracking https://bugs.debian.org/851304

Issue Tracking https://bz.apache.org/bugzilla/show_bug.cgi?id=60578

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9...

https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb...

Third Party Advisory https://lists.debian.org/debian-security-announce/2017/msg00038.html

Third Party Advisory https://lists.debian.org/debian-security-announce/2017/msg00039.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20180731-0002/

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0517.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0826.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0827.html

and 14 more references

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 13/34 · Low

Exposure 9/34 · Low