Apache Tomcat Connection Swallow Denial Of Service

2015.05.06
Credit: Baidu Security Team
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-0230
CWE: CWE-399


CVSS Base Score: 7.8/10
Impact Subscore: 6.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Note that this issue was accidentally disclosed by Red Hat Product Security on 9 April 2015 [4]. The Tomcat security team was made aware of this disclosure today (5 May 2015). The information released on 9 April 2015 contained a number of errors. For the sake of clarity: - - This issue is not limited to file upload. Any request with a body may be affected. - - This issue cannot be used to trigger excessive memory usage on the server. The additional data read from the response body is not retained - it is simply ignored. The intention was to embargo this issue until after the 6.0.44 release. Unfortunately that is no longer possible. The Tomcat team is working on a 6.0.44 release now and we hope to have one available by early next week. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.9 or later - - Upgrade to Apache Tomcat 7.0.55 or later - - Upgrade to Apache Tomcat 6.0.44 or later once released Credit: This issue was discovered by AntBean@secdig from the Baidu Security Team and was reported responsibly to the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html [4] http://www.openwall.com/lists/oss-security/2015/04/10/1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVSUnRAAoJEBDAHFovYFnnxFgP/38LAZosd36MzvWvBNQSeJmi QRIm432bbUwVevjVXKKO27oxrL+DUBkesCc0XslGVu0N3gTqzhce2DJXIetpnl04 wV2S88F29jAfRatz65WEbj17gdlP6IobTWzFIyQlfjRxmY97AQQOwRdd/j6P2LMR vD+thwLccbs9kxTn+MVyQu6W9a1R1Hy3fARdMlfZVchj32jCn3kD37IXF/JLPFso btBZBt/jEqIb8uq0ZiVUDx5ErvVH5O/AAfxCEh9pfZdl4vIG7SU1KB2iTnyzdat9 Hz0jXc8WFIu3BKY9t2VI/1wUJzGHy8Xzxt4IGjTzy0EQKTI96pXAi6XsQ9AiaHVP IAtgnEtpjk89qi8YWYoeyLsmpdeUSkCqOTYImn8/2gnrJAtS96SzvE1nBdxpI4O4 f7s2cU4PAnvf9rRvO1SBIb67VYdwB3coAMMtuOodXmjES2xK2xniGVXpIB0RjAyf /ds/syVsbVZ2LK+LGOsxGR3Rz1dBIanlJ5Tm3fudp9XlfkLhr7Lo04iSRXKDjeIo ERXDu0zblaMs8KOfP4vg+kAz4Ih86R+vG7xVwQ9Zjoae/t/lAWqwqQeOewC2+esL qeyZc4J+TO6rcANQ099Iu1iBUN2T3Vd5t7ZPIFDtLSrDVSjnLz6hkltBHBD1lVOl 7nKmBsFyuQyGSHHZ4dN9 =AfA+ -----END PGP SIGNATURE-----

References:

http://www.openwall.com/lists/oss-security/2015/04/10/1
http://tomcat.apache.org/security-8.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top