REDHAT-BUG-2366703: High severity tornado vulnerability
Tornado is a Python web framework and asynchronous networking library. When Tornado's multipart/form-data parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high volume of logs, constituting a DoS attack. This DoS is compounded by the fact that the logging subsystem is synchronous. All versions of Tornado prior to 6.5.0 are affected. The vulnerable parser is enabled by default. Upgrade to Tornado version 6.50 to receive a patch. As a workaround, risk can be mitigated by blocking Content-Type: multipart/form-data in a proxy.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2366703?
The severity of REDHAT-BUG-2366703 is categorized as a high-impact vulnerability due to potential denial-of-service through excessive logging.
How do I fix REDHAT-BUG-2366703?
To fix REDHAT-BUG-2366703, upgrade Tornado to version 6.5.0 or later to mitigate the vulnerability.
Who is affected by REDHAT-BUG-2366703?
REDHAT-BUG-2366703 affects users and applications utilizing Tornado versions prior to 6.5.0.
What type of vulnerability is REDHAT-BUG-2366703?
REDHAT-BUG-2366703 is a denial-of-service vulnerability caused by improper handling of multipart form data.
What are the potential risks of REDHAT-BUG-2366703?
The potential risks of REDHAT-BUG-2366703 include degraded application performance and system instability due to log flooding.