Home page logo

bugtraq logo Bugtraq mailing list archives

CVE-2012-4534 Apache Tomcat denial of service
From: Mark Thomas <markt () apache org>
Date: Tue, 04 Dec 2012 19:47:38 +0000

CVE-2012-4534 Apache Tomcat denial of service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35

When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service. This was originally reported
as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858.

Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.28 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later

The security implications of this bug were identified by Arun Neelicattu
of the Red Hat Security Response Team.


  By Date           By Thread  

Current thread:
  • CVE-2012-4534 Apache Tomcat denial of service Mark Thomas (Dec 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]