On 10/04/17 20:41, Stefan Mayr wrote: > Hi, > > Am 10.04.2017 um 21:14 schrieb Mark Thomas: >> CVE-2017-5647 Apache Tomcat Information Disclosure >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 9.0.0.M1 to 9.0.0.M18 >> Apache Tomcat 8.5.0 to 8.5.12 >> Apache Tomcat 8.0.0.RC1 to 8.0.42 >> Apache Tomcat 7.0.0 to 7.0.76 >> Apache Tomcat 6.0.0 to 6.0.52 >> >> Description >> A bug in the handling of the pipelined requests when send file was used >> resulted in the pipelined request being lost when send file processing >> of the previous request completed. This could result in responses >> appearing to be sent for the wrong request. For example, a user agent >> that sent requests A, B and C could see the correct response for request >> A, the response for request C for request B and no response for request C. > > How about the pipelining: this reuses a TCP connection for a single > user. Is it possible for two different users (TCP connections) to see a > response for the other user?
Not with this vulnerability. The problem occurs within a single connection. If a reverse-proxy used pipe-lining and pipelined requests for multiple users onto a single connection (I think this is extremely unlikely) then that would be different. >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Switch to the BIO HTTP where available >> - Disable send file >> - Upgrade to Apache Tomcat 9.0.0.M19 or later >> - Upgrade to Apache Tomcat 8.5.13 or later >> - Upgrade to Apache Tomcat 8.0.43 or later >> - Upgrade to Apache Tomcat 7.0.77 or later >> - Upgrade to Apache Tomcat 6.0.53 or later > > Does this also affect requests to the AJP connector (Apache httpd + > mod_jk in front of Tomcat)? The AJP protocol does not support sendfile. Mark > >> Credit: >> This issue was identified by the Tomcat security team. >> >> History: >> 2017-04-10 Original advisory >> >> References: >> [1] http://tomcat.apache.org/security-9.html >> [2] http://tomcat.apache.org/security-8.html >> [3] http://tomcat.apache.org/security-7.html >> [4] http://tomcat.apache.org/security-6.html >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > Thanks, > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
