CVE 2017-5650
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.
Related bugs and status
CVE-2017-5650 (Candidate) is related to these bugs:
Bug #1817567: backport tomcat & dependencies for OpenJDK 11
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat9 (Ubuntu) | Undecided | New | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | websocket-api (Ubuntu) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-emf (Ubuntu Bionic) | Undecided | Fix Committed | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | jetty9 (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | swt4-gtk (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat-native (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat8 (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-debian-helper (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-jdt-core (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-jdt-debug (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-jdt-ui (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-debug (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-resources (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-runtime (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-team (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-text (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-ua (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | eclipse-platform-ui (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | el-api (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | equinox-bundles (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | equinox-framework (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | equinox-p2 (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | jsp-api (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | servlet-api (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat9 (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | websocket-api (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | libeclipse-emf (Ubuntu Bionic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | jetty9 (Ubuntu Cosmic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat8 (Ubuntu Cosmic) | Undecided | Fix Released | ||
1817567 | backport tomcat & dependencies for OpenJDK 11 | tomcat9 (Ubuntu Cosmic) | Undecided | Fix Released |
See the
CVE page on Mitre.org
for more details.