PT-2016-7120 · Apache · Apache Tomcat
Published
2016-11-08
·
Updated
2024-10-15
·
CVE-2016-6817
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 8.5.0 through 8.5.6
Apache Tomcat versions 9.0.0.M1 through 9.0.0.M11
Description
The HTTP/2 header parser in Apache Tomcat entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.
Recommendations
For Apache Tomcat versions 8.5.0 through 8.5.6, update to a version outside of this range to resolve the issue.
For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M11, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting the size of HTTP/2 headers to prevent the infinite loop condition.
Fix
DoS
Infinite Loop
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Tomcat