VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Apr 17, 2017· Updated May 13, 2026

CVE-2017-5650

CVE-2017-5650

Description

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 9.0.0.M1, < 9.0.0.M199.0.0.M19
org.apache.tomcat:tomcatMaven
>= 8.5.0, < 8.5.138.5.13

Affected products

32
  • Apache/Tomcat31 versions
    cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*+ 30 more
    • cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  • Apache Software Foundation/Apache Tomcatv5
    Range: 9.0.0.M1 to 9.0.0.M18

Patches

2
2cb9c724e6a2

Close the streams as soon as we know the connection is closing

https://github.com/apache/tomcatMark ThomasMar 24, 2017via ghsa
commit
1 file changed · +5 0
  • java/org/apache/coyote/http2/Http2UpgradeHandler.java+5 0 modified
    @@ -983,6 +983,11 @@ private Stream createLocalStream(Request request) {
 
     private void close() {
         connectionState.set(ConnectionState.CLOSED);
+        for (Stream stream : streams.values()) {
+            // The connection is closing. Close the associated streams as no
+            // longer required.
+            stream.receiveReset(Http2Error.CANCEL.getCode());
+        }
         try {
             socketWrapper.close();
         } catch (IOException ioe) {
5496e193a89b

Close the streams as soon as we know the connection is closing

https://github.com/apache/tomcatMark ThomasMar 24, 2017via ghsa
commit
1 file changed · +5 0
  • java/org/apache/coyote/http2/Http2UpgradeHandler.java+5 0 modified
    @@ -983,6 +983,11 @@ private Stream createLocalStream(Request request) {
 
     private void close() {
         connectionState.set(ConnectionState.CLOSED);
+        for (Stream stream : streams.values()) {
+            // The connection is closing. Close the associated streams as no
+            // longer required.
+            stream.receiveReset(Http2Error.CANCEL.getCode());
+        }
         try {
             socketWrapper.close();
         } catch (IOException ioe) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

28

News mentions

0

No linked articles in our index yet.