Home page logo

bugtraq logo Bugtraq mailing list archives

[SECURITY] CVE-2014-0075 Apache Tomcat denial of service
From: Mark Thomas <markt () apache org>
Date: Tue, 27 May 2014 13:46:16 +0100

CVE-2014-0075 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

It was possible to craft a malformed chunk size as part of a chucked
request that enabled an unlimited amount of data to be streamed to the
server, bypassing the various size limits enforced on a request. This
enabled a denial of service attack.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

This issue was reported to the Tomcat security team by David Jorm of the
Red Hat Security Response Team.

[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

  By Date           By Thread  

Current thread:
  • [SECURITY] CVE-2014-0075 Apache Tomcat denial of service Mark Thomas (May 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]