CVE-2017-6056 Canonical CVE debrief

Who should care

System administrators and platform teams running Apache Tomcat from affected Debian or Ubuntu package builds, especially services that accept HTTPS traffic.

Technical summary

The vulnerability affects distro-packaged Tomcat builds where HTTPS request handling can enter an infinite loop because only part of the upstream fix set was backported. NVD lists Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Debian Linux 8.0 as vulnerable CPEs. The CVSS vector indicates availability-only impact, with no confidentiality or integrity impact recorded.

Defensive priority

High for exposed Tomcat HTTPS services on affected Debian or Ubuntu packages; the flaw is remotely triggerable and can exhaust availability without authentication or user interaction.

Recommended defensive actions

• Apply the patched Tomcat packages provided by your operating system vendor or distribution security advisories.
• Verify installed package versions against the vulnerable CPE scope listed by NVD, especially Ubuntu 12.04/14.04 LTS and Debian 8.0 builds.
• Prioritize remediation for any externally reachable HTTPS Tomcat instances.
• Monitor affected hosts for service hangs, abnormal CPU consumption, or repeated restarts until patching is complete.
• If you rely on downstream backports, confirm that the full related fix set was applied, not just a single CVE patch.

Evidence notes

The supplied corpus shows a public disclosure date of 2017-02-17 and an NVD record modified on 2026-05-13. NVD's CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and the primary weakness is CWE-835. The record's references include Debian security advisories, Red Hat errata, and Apache Bugzilla 60578, and the CVE description states the DoS resulted from backporting the CVE-2016-6816 fix without the Tomcat bug 57544 fix.

Official resources