REDHAT-BUG-2328045: High severity tornado vulnerability
Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. Version 6.4.2 fixes the issue.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2328045?
The severity of REDHAT-BUG-2328045 is significant due to the potential for excessive CPU consumption caused by maliciously-crafted cookie headers.
How do I fix REDHAT-BUG-2328045?
To fix REDHAT-BUG-2328045, update Tornado to version 6.4.2 or later.
What versions of Tornado are affected by REDHAT-BUG-2328045?
Tornado versions prior to 6.4.2 are affected by REDHAT-BUG-2328045.
What type of attack is associated with REDHAT-BUG-2328045?
REDHAT-BUG-2328045 is associated with denial-of-service attacks that can occur through crafted HTTP cookie headers.
When was REDHAT-BUG-2328045 reported?
REDHAT-BUG-2328045 was reported in the context of vulnerabilities related to CPU consumption in Tornado.