Fixed in Apache Tomcat 8.5.13

Important: Information Disclosure CVE-2017-5651

The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

This was fixed in revision 1788546.

This issue was identified by the Apache Tomcat Security Team on 24 March 2017 and made public on 10 April 2017.

Affects: 8.5.0 to 8.5.12

Important: Denial of Service CVE-2017-5650

The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

This was fixed in revision 1788480.

This issue was reported to the Apache Tomcat Security Team by Chun Han Hsiao on 11 March 2017 and made public on 10 April 2017.

Affects: 8.5.0 to 8.5.12

Important: Information Disclosure CVE-2017-5647

A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

This was fixed in revision 1788932.

This issue was identified by the Apache Tomcat Security Team on 20 March 2017 and made public on 10 April 2017.

Affects: 8.5.0 to 8.5.12