CVE-2014-0230 Denial of Service Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 8.0.0-RC1 to 8.0.8 - - Apache Tomcat 7.0.0 to 7.0.54 - - Apache Tomcat 6.0.0 to 6.0.43 Description: When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Note that this issue was accidentally disclosed by Red Hat Product Security on 9 April 2015 . The Tomcat security team was made aware of this disclosure today (5 May 2015). The information released on 9 April 2015 contained a number of errors. For the sake of clarity: - - This issue is not limited to file upload. Any request with a body may be affected. - - This issue cannot be used to trigger excessive memory usage on the server. The additional data read from the response body is not retained - it is simply ignored. The intention was to embargo this issue until after the 6.0.44 release. Unfortunately that is no longer possible. The Tomcat team is working on a 6.0.44 release now and we hope to have one available by early next week. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.9 or later - - Upgrade to Apache Tomcat 7.0.55 or later - - Upgrade to Apache Tomcat 6.0.44 or later once released Credit: This issue was discovered by [email protected] from the Baidu Security Team and was reported responsibly to the Apache Tomcat security team. References:  http://tomcat.apache.org/security-8.html  http://tomcat.apache.org/security-7.html  http://tomcat.apache.org/security-6.html  http://www.openwall.com/lists/oss-security/2015/04/10/1
Copyright ©2022 Exploitalert.