CVE-2017-5650 in Tomcatinfo

Summary

by MITRE

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/28/2022

The vulnerability described in CVE-2017-5650 represents a critical thread exhaustion issue within Apache Tomcat's HTTP/2 implementation that directly impacts system availability and resource management. This flaw affects versions ranging from 9.0.0.M1 through 9.0.0.M18 and 8.5.0 through 8.5.12, indicating a prolonged period during which the vulnerability remained unaddressed. The issue specifically manifests in how Tomcat processes HTTP/2 GOAWAY frames, which are standard protocol mechanisms used to signal the end of a connection or stream. When a GOAWAY frame is received, the server should properly terminate associated streams and release the threads they were consuming. However, in the affected versions, streams that were waiting for WINDOW_UPDATE frames were not being properly closed, leading to thread starvation.

The technical flaw stems from improper stream lifecycle management within the HTTP/2 protocol handling code. When a client sends a GOAWAY frame, it typically indicates that the connection should be terminated and no further data should be sent or received on that connection. In the vulnerable implementation, streams that were in a waiting state for WINDOW_UPDATE frames were not being properly cleaned up, causing them to remain in memory and consume processing threads indefinitely. This creates a scenario where each waiting stream holds onto a thread that could otherwise be used for legitimate requests, effectively reducing the available thread pool capacity. The vulnerability is particularly insidious because it can be exploited through a carefully crafted sequence of HTTP/2 requests that gradually deplete the thread pool.

The operational impact of this vulnerability is severe and directly translates to a denial of service condition. An attacker with minimal privileges can construct a series of HTTP/2 requests that will consume all available processing threads in the Tomcat server. This thread exhaustion prevents the server from processing legitimate requests, effectively making the application unavailable to genuine users. The attack is particularly effective because it requires minimal resources to execute and can be performed by a single malicious client. The vulnerability affects the server's ability to maintain normal service availability and can cause cascading failures in applications that depend on Tomcat for serving HTTP/2 traffic. The issue also impacts the overall performance characteristics of the server, as thread starvation leads to increased latency and reduced throughput for all concurrent operations.

The root cause of this vulnerability aligns with CWE-400, which addresses unchecked resource consumption, and more specifically relates to CWE-1294, which deals with improper handling of HTTP/2 streams. From an ATT&CK perspective, this vulnerability maps to T1499.004, which covers network denial of service attacks, and T1566.001, which involves spearphishing attacks that could be used to deliver malicious HTTP/2 requests. The vulnerability demonstrates the importance of proper resource cleanup in protocol implementations and highlights the risks associated with incomplete HTTP/2 specification compliance. Organizations should implement immediate mitigations including upgrading to patched versions of Tomcat, implementing rate limiting for HTTP/2 connections, and monitoring for unusual thread pool utilization patterns. Additionally, security teams should consider implementing connection-level rate limiting and stream monitoring to detect and prevent exploitation attempts. The vulnerability also underscores the need for comprehensive testing of protocol implementations, particularly for complex features like HTTP/2 that involve sophisticated state management and resource handling.

Reservation

01/29/2017

Disclosure

04/17/2017

Moderation

accepted

Entry

VDB-99569

CPE

ready

EPSS

0.08275

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!