Vulnerability Name: CVE-2017-6056 (CCN-122312) Assigned: 2017-02-16 Published: 2017-02-16 Updated: 2019-10-03 Summary: It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu. CVSS v3 Severity: 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): High
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): NoneAvailibility (A): Complete
Vulnerability Type: CWE-835 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2017-6056 Important: Red Hat JBoss Enterprise Application Platform security update RHSA-2017:0517 Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 5 RHSA-2017:0826 Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 6 RHSA-2017:0827 Important: Red Hat JBoss Enterprise Application Platform 6.4.14 update on RHEL 7 RHSA-2017:0828 Important: jboss-ec2-eap security, bug fix, and enhancement update RHSA-2017:0829 Tomcat DSA-3787 DSA-3788 Vulnerabilities in Apache Tomcat affect SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2017-6056) A Vulnerability in Apache Tomcat affects the IBM FlashSystem models 840 and 900 Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology Multiple Security vulnerabilities in WebSphere Application Server Community Edition Rational Build Forge Security Advisory (CVE-2016-8610, CVE-2017-6056, CVE-2017-5647, CVE-2017-5648) IBM OpenPages GRC Platform has addressed multiple Apache Tomcat vulnerabilities. IBM Security Guardium Big Data Intelligence (SonarG) is vulnerable to using Components with Known Vulnerabilities Oracle Critical Patch Update Advisory - October 2019 96293 Apache Tomcat 'http11/AbstractInputBuffer.java' Denial of Service Vulnerability 1037860 https://bugs.debian.org/851304 Server CPU maxed out (100% per core) randomly after a few hours https://bz.apache.org/bugzilla/show_bug.cgi?id=60578 apache-cve20176056-dos(122312) [activemq-issues] 20190925 [jira] [Created] (AMQ-7310) Security Vulnerabilities in Tomcat-websocket-api.jar [activemq-issues] 20190723 [jira] [Created] (AMQ-7249) Security Vulnerabilities in the ActiveMQ dependent jars. https://lists.debian.org/debian-security-announce/2017/msg00038.html https://lists.debian.org/debian-security-announce/2017/msg00039.html https://security.netapp.com/advisory/ntap-20180731-0002/ Resilient is vulnerable to Using Components with Known Vulnerabilities https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html CVE-2017-6056 Vulnerable Configuration: Configuration 1 :cpe:/o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:* OR cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:tomcat:6:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:7:*:*:*:*:*:*:* AND cpe:/a:ibm:rational_build_forge:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:6.2:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:6.3:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:6.4:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.1:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_enterprise_application_platform:6:*:el6:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_build_forge:8.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_build_forge:8.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:3.0.0.4:-:community:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:5.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.4:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0:*:*:*:*:*:*:* OR cpe:/a:ibm:openpages_grc_platform:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.5:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:storwize_v7000_software:7.6.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_build_forge:8.0.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_build_forge:8.0.0.4:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_enterprise_application_platform:6.4.14:*:*:*:*:*:*:* OR cpe:/a:redhat:jboss_enterprise_application_platform:6.4.13:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_big_data_intelligence:3.1:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:* Oval Definitions BACK
canonical ubuntu linux 12.04
canonical ubuntu linux 14.04
debian debian linux 8.0
apache tomcat 6
apache tomcat 7
ibm rational build forge 8.0
ibm storwize v7000 software 6.1
ibm storwize v7000 software 6.2
ibm storwize v7000 software 6.3
ibm storwize v7000 software 6.4
ibm storwize v7000 software 7.1
redhat jboss enterprise application platform 6
ibm storwize v7000 software 7.2
ibm rational build forge 8.0.0.1
ibm rational build forge 8.0.0.2
ibm websphere application server 3.0.0.4 -
ibm rational collaborative lifecycle management 4.0
ibm rational collaborative lifecycle management 4.0.1
ibm rational collaborative lifecycle management 4.0.2
ibm rational collaborative lifecycle management 4.0.3
ibm rational collaborative lifecycle management 4.0.4
ibm rational collaborative lifecycle management 4.0.5
ibm rational collaborative lifecycle management 4.0.6
ibm rational collaborative lifecycle management 5.0
ibm rational collaborative lifecycle management 4.0.7
ibm rational collaborative lifecycle management 5.0.1
ibm rational collaborative lifecycle management 5.0.2
ibm storwize v7000 software 7.3
ibm storwize v7000 software 7.4
ibm rational collaborative lifecycle management 6.0
ibm openpages grc platform 7.1
ibm storwize v7000 software 7.5
ibm storwize v7000 software 7.6
ibm rational collaborative lifecycle management 6.0.1
ibm storwize v7000 software 7.6.1
ibm rational collaborative lifecycle management 6.0.2
ibm rational build forge 8.0.0.3
ibm rational collaborative lifecycle management 6.0.3
ibm rational build forge 8.0.0.4
redhat jboss enterprise application platform 6.4.14
redhat jboss enterprise application platform 6.4.13
ibm rational collaborative lifecycle management 6.0.4
ibm security guardium big data intelligence 3.1
oracle instantis enterprisetrack 17.1
oracle instantis enterprisetrack 17.2
oracle instantis enterprisetrack 17.3
Denotes that component is vulnerable