{
  "threat_severity" : "Important",
  "public_date" : "2017-04-10T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: Incorrect handling of pipelined requests when send file was used",
    "id" : "1441205",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1441205"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.", "A vulnerability was discovered in Tomcat's handling of pipelined requests when \"Sendfile\" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2017-10-30T00:00:00Z",
    "advisory" : "RHSA-2017:3080",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "tomcat6-0:6.0.24-111.el6_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-10-30T00:00:00Z",
    "advisory" : "RHSA-2017:3081",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "tomcat-0:7.0.76-3.el7_4"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "tomcat6-0:6.0.41-17_patch_04.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "tomcat7-0:7.0.54-25_patch_05.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "tomcat6-0:6.0.41-17_patch_04.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2493",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "tomcat7-0:7.0.54-25_patch_05.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 2.1",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1",
    "package" : "tomcat6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 2.1",
    "release_date" : "2017-08-21T00:00:00Z",
    "advisory" : "RHSA-2017:2494",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1",
    "package" : "tomcat7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.1",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1802",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat7-0:7.0.70-22.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat8-0:8.0.36-24.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "log4j-eap6-0:1.2.16-12.redhat_3.1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat7-0:7.0.70-22.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat8-0:8.0.36-24.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-07-25T00:00:00Z",
    "advisory" : "RHSA-2017:1801",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-native-0:1.2.8-10.redhat_10.ep7.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "tomcat5",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Affected",
    "package_name" : "CXF",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Under investigation",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "karaf",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Will not fix",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Portal 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Affected",
    "package_name" : "tomcat7",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Affected",
    "package_name" : "tomcat8",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-java-common-tomcat",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-5647\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-5647" ],
  "name" : "CVE-2017-5647",
  "mitigation" : {
    "value" : "The AJP connector does not support the sendfile capability.  A server configured to only use the AJP connector (disable HTTP Connector) is not affected by this vulnerability.\nDisable the sendfile capability by setting useSendfile=\"false\" in the HTTP connector configuration.  Note: Disabling sendfile, may impact performance on large files.",
    "lang" : "en:us"
  },
  "csaw" : false
}