Your submission was sent successfully! Close

CVE-2017-6056

Published: 13 February 2017

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

From the Ubuntu security team

It was discovered that Tomcat incorrectly handled certain HTTP requests. A remote attacker could possibly use this issue to cause Tomcat to consume resources, resulting in a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise
Released (6.0.35-1ubuntu3.11)
trusty Needed

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
yakkety Does not exist

zesty Does not exist

tomcat7
Launchpad, Ubuntu, Debian
artful Not vulnerable
(7.0.75-1)
bionic Not vulnerable
(7.0.75-1)
cosmic Not vulnerable
(7.0.75-1)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist
(precise was needed)
trusty
Released (7.0.52-1ubuntu0.10)
upstream
Released (7.0.60)
xenial Not vulnerable
(7.0.68-1ubuntu0.1)
yakkety Not vulnerable
(7.0.72-1)
zesty Not vulnerable
(7.0.75-1)
tomcat8
Launchpad, Ubuntu, Debian
artful Not vulnerable
(8.0.38-2)
bionic Not vulnerable
(8.0.38-2)
cosmic Not vulnerable
(8.0.38-2)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (8.0.19)
xenial Not vulnerable
(8.0.32-1ubuntu1.3)
yakkety Not vulnerable
(8.0.37-1ubuntu0.1)
zesty Not vulnerable
(8.0.38-2)