CVE-2017-5651
First published: Mon Apr 17 2017(Updated: )
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<=8.5.12 | 8.5.13 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<=9.0.0.M18 | 9.0.0.M19 |
| maven/org.apache.tomcat:tomcat-coyote | >=8.5.0<=8.5.12 | 8.5.13 |
| maven/org.apache.tomcat:tomcat-coyote | >=9.0.0.M1<=9.0.0.M18 | 9.0.0.M19 |
| Tomcat | =8.5.0 | |
| Tomcat | =8.5.1 | |
| Tomcat | =8.5.2 | |
| Tomcat | =8.5.3 | |
| Tomcat | =8.5.4 | |
| Tomcat | =8.5.5 | |
| Tomcat | =8.5.6 | |
| Tomcat | =8.5.7 | |
| Tomcat | =8.5.8 | |
| Tomcat | =8.5.9 | |
| Tomcat | =8.5.10 | |
| Tomcat | =8.5.11 | |
| Tomcat | =8.5.12 | |
| Tomcat | =9.0.0-milestone1 | |
| Tomcat | =9.0.0-milestone10 | |
| Tomcat | =9.0.0-milestone11 | |
| Tomcat | =9.0.0-milestone12 | |
| Tomcat | =9.0.0-milestone13 | |
| Tomcat | =9.0.0-milestone14 | |
| Tomcat | =9.0.0-milestone15 | |
| Tomcat | =9.0.0-milestone16 | |
| Tomcat | =9.0.0-milestone17 | |
| Tomcat | =9.0.0-milestone18 | |
| Tomcat | =9.0.0-milestone2 | |
| Tomcat | =9.0.0-milestone3 | |
| Tomcat | =9.0.0-milestone4 | |
| Tomcat | =9.0.0-milestone5 | |
| Tomcat | =9.0.0-milestone6 | |
| Tomcat | =9.0.0-milestone7 | |
| Tomcat | =9.0.0-milestone8 | |
| Tomcat | =9.0.0-milestone9 | |
| Tomcat | =9.0.0-m1 | |
| Tomcat | =9.0.0-m10 | |
| Tomcat | =9.0.0-m11 | |
| Tomcat | =9.0.0-m12 | |
| Tomcat | =9.0.0-m13 | |
| Tomcat | =9.0.0-m14 | |
| Tomcat | =9.0.0-m15 | |
| Tomcat | =9.0.0-m16 | |
| Tomcat | =9.0.0-m17 | |
| Tomcat | =9.0.0-m18 | |
| Tomcat | =9.0.0-m2 | |
| Tomcat | =9.0.0-m3 | |
| Tomcat | =9.0.0-m4 | |
| Tomcat | =9.0.0-m5 | |
| Tomcat | =9.0.0-m6 | |
| Tomcat | =9.0.0-m7 | |
| Tomcat | =9.0.0-m8 | |
| Tomcat | =9.0.0-m9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.securityfocus.com/bid/97544
- http://www.securitytracker.com/id/1038219
- https://bz.apache.org/bugzilla/show_bug.cgi?id=60918
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/201705-09
- https://security.netapp.com/advisory/ntap-20180614-0001/
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2017-5651
- https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544
- https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219
- https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b
- https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8
- https://security.netapp.com/advisory/ntap-20180614-0001
- https://github.com/advisories/GHSA-9hg2-395j-83rm (Advisory)
- https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F&type=code
Frequently Asked Questions
What is the severity of CVE-2017-5651?
CVE-2017-5651 has a medium severity rating due to the potential for processor cache corruption in Apache Tomcat.
How do I fix CVE-2017-5651?
To fix CVE-2017-5651, upgrade to Apache Tomcat versions 8.5.13 or 9.0.0.M19.
Which versions of Apache Tomcat are affected by CVE-2017-5651?
CVE-2017-5651 affects Apache Tomcat versions 8.5.0 to 8.5.12 and 9.0.0.M1 to 9.0.0.M18.
Can CVE-2017-5651 affect file processing in Tomcat?
Yes, CVE-2017-5651 can cause issues in file processing due to the potential for duplicated processors in the cache.
What components are related to CVE-2017-5651 in Apache Tomcat?
CVE-2017-5651 is associated with the Tomcat HTTP connectors and specifically the send file processing feature.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9hg2-395j-83rm
- alias/CVE-2017-5651
- agent/software-canonical-lookup
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/softwarecombine
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/maven
- vendor/apache
- canonical/tomcat
- version/tomcat/8.5.0
- version/tomcat/8.5.1
- version/tomcat/8.5.2
- version/tomcat/8.5.3
- version/tomcat/8.5.4
- version/tomcat/8.5.5
- version/tomcat/8.5.6
- version/tomcat/8.5.7
- version/tomcat/8.5.8
- version/tomcat/8.5.9
- version/tomcat/8.5.10
- version/tomcat/8.5.11
- version/tomcat/8.5.12
- version/tomcat/9.0.0-milestone1
- version/tomcat/9.0.0-milestone10
- version/tomcat/9.0.0-milestone11
- version/tomcat/9.0.0-milestone12
- version/tomcat/9.0.0-milestone13
- version/tomcat/9.0.0-milestone14
- version/tomcat/9.0.0-milestone15
- version/tomcat/9.0.0-milestone16
- version/tomcat/9.0.0-milestone17
- version/tomcat/9.0.0-milestone18
- version/tomcat/9.0.0-milestone2
- version/tomcat/9.0.0-milestone3
- version/tomcat/9.0.0-milestone4
- version/tomcat/9.0.0-milestone5
- version/tomcat/9.0.0-milestone6
- version/tomcat/9.0.0-milestone7
- version/tomcat/9.0.0-milestone8
- version/tomcat/9.0.0-milestone9
- version/tomcat/9.0.0-m1
- version/tomcat/9.0.0-m10
- version/tomcat/9.0.0-m11
- version/tomcat/9.0.0-m12
- version/tomcat/9.0.0-m13
- version/tomcat/9.0.0-m14
- version/tomcat/9.0.0-m15
- version/tomcat/9.0.0-m16
- version/tomcat/9.0.0-m17
- version/tomcat/9.0.0-m18
- version/tomcat/9.0.0-m2
- version/tomcat/9.0.0-m3
- version/tomcat/9.0.0-m4
- version/tomcat/9.0.0-m5
- version/tomcat/9.0.0-m6
- version/tomcat/9.0.0-m7
- version/tomcat/9.0.0-m8
- version/tomcat/9.0.0-m9