When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited denial of service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.8, 7.0.0 to 7.0.54, and 6.0.0 to 6.0.43.
1ad1eefef30402ac2fe3a0012efc3d875f14db6ddf39ce0f35dd36949d4a85ea-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
CVE-2014-0230 Denial of Service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.43
Description:
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed. There was no limit to the size of request
body that Tomcat would swallow. This permitted a limited Denial of
Service as Tomcat would never close the connection and a processing
thread would remain allocated to the connection.
Note that this issue was accidentally disclosed by Red Hat Product
Security on 9 April 2015 [4]. The Tomcat security team was made aware
of this disclosure today (5 May 2015). The information released on 9
April 2015 contained a number of errors. For the sake of clarity:
- - This issue is not limited to file upload. Any request with a body may
be affected.
- - This issue cannot be used to trigger excessive memory usage on the
server. The additional data read from the response body is not
retained - it is simply ignored.
The intention was to embargo this issue until after the 6.0.44
release. Unfortunately that is no longer possible. The Tomcat team is
working on a 6.0.44 release now and we hope to have one available by
early next week.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.9 or later
- - Upgrade to Apache Tomcat 7.0.55 or later
- - Upgrade to Apache Tomcat 6.0.44 or later once released
Credit:
This issue was discovered by AntBean@secdig from the Baidu Security Team
and was reported responsibly to the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html
[4] http://www.openwall.com/lists/oss-security/2015/04/10/1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVSUnRAAoJEBDAHFovYFnnxFgP/38LAZosd36MzvWvBNQSeJmi
QRIm432bbUwVevjVXKKO27oxrL+DUBkesCc0XslGVu0N3gTqzhce2DJXIetpnl04
wV2S88F29jAfRatz65WEbj17gdlP6IobTWzFIyQlfjRxmY97AQQOwRdd/j6P2LMR
vD+thwLccbs9kxTn+MVyQu6W9a1R1Hy3fARdMlfZVchj32jCn3kD37IXF/JLPFso
btBZBt/jEqIb8uq0ZiVUDx5ErvVH5O/AAfxCEh9pfZdl4vIG7SU1KB2iTnyzdat9
Hz0jXc8WFIu3BKY9t2VI/1wUJzGHy8Xzxt4IGjTzy0EQKTI96pXAi6XsQ9AiaHVP
IAtgnEtpjk89qi8YWYoeyLsmpdeUSkCqOTYImn8/2gnrJAtS96SzvE1nBdxpI4O4
f7s2cU4PAnvf9rRvO1SBIb67VYdwB3coAMMtuOodXmjES2xK2xniGVXpIB0RjAyf
/ds/syVsbVZ2LK+LGOsxGR3Rz1dBIanlJ5Tm3fudp9XlfkLhr7Lo04iSRXKDjeIo
ERXDu0zblaMs8KOfP4vg+kAz4Ih86R+vG7xVwQ9Zjoae/t/lAWqwqQeOewC2+esL
qeyZc4J+TO6rcANQ099Iu1iBUN2T3Vd5t7ZPIFDtLSrDVSjnLz6hkltBHBD1lVOl
7nKmBsFyuQyGSHHZ4dN9
=AfA+
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed