Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.43
Description:
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed. There was no limit to the size of request
body that Tomcat would swallow. This permitted a limited Denial of
Service as Tomcat would never close the connection and a processing
thread would remain allocated to the connection.
Note that this issue was accidentally disclosed by Red Hat Product
Security on 9 April 2015 [4]. The Tomcat security team was made aware
of this disclosure today (5 May 2015). The information released on 9
April 2015 contained a number of errors. For the sake of clarity:
- - This issue is not limited to file upload. Any request with a body may
be affected.
- - This issue cannot be used to trigger excessive memory usage on the
server. The additional data read from the response body is not
retained - it is simply ignored.
The intention was to embargo this issue until after the 6.0.44
release. Unfortunately that is no longer possible. The Tomcat team is
working on a 6.0.44 release now and we hope to have one available by
early next week.
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.9 or later
- - Upgrade to Apache Tomcat 7.0.55 or later
- - Upgrade to Apache Tomcat 6.0.44 or later once released
Credit:
This issue was discovered by AntBean@secdig from the Baidu Security Team
and was reported responsibly to the Apache Tomcat security team.
References:
[1] http://tomcat.apache.org/
[2] http://tomcat.apache.org/
[3] http://tomcat.apache.org/
[4] http://www.openwall.com/lists/
Komentarų nėra:
Rašyti komentarą