[SECURITY] CVE-2014-0075 Apache Tomcat denial of service May 27 2014 12:46PM
Mark Thomas (markt apache org)
CVE-2014-0075 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

It was possible to craft a malformed chunk size as part of a chucked
request that enabled an unlimited amount of data to be streamed to the
server, bypassing the various size limits enforced on a request. This
enabled a denial of service attack.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
(8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
(6.0.40 contains the fix but was not released)

This issue was reported to the Tomcat security team by David Jorm of the
Red Hat Security Response Team.

[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus