Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service

Tue, 27 May 2014 11:42:12 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0095 Denial of Service
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
> 
> Description: A regression was introduced in  revision 1519838 that
> caused AJP requests to hang if an explicit content length of zero
> was set on the request. The hanging request consumed a request
> processing thread which could lead to a denial of service.
> 
> Mitigation: Users of affected versions should apply one of the
> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later 
> (8.0.4 contains the fix but was not released)

Alternate mitigation:

  SetEnvIf "Content-Length" "^0$" no-jk=1

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJThNxLAAoJEBzwKT+lPKRYUAQP/jG3mbXNsti249+OTkXldsiZ
uRb9daxgArTH3HaOH9YuL/TPbq6cwOhDlHbIRDFzAEZFpyKySbGBkmpkBdeYUTLX
qWWU4IZIGuK8uUysopZ9nohxzi3JghrkE3kSrrUcCGUjmqX1i+MMy/eCdqvOZzxE
PlCvCIkQpyCdyodUlW8LmKiofc9/FUEn/820orm+BzMyMTJgZLbxyGtOKPcJkyQA
ib/Lky2EmLcP1q/RjlI5ACeFubxNVmdu2Vy4KWkjZQLfVqc4AcBcbDy4INYK+RPs
hA2iwctSBul5RXuHcKEJOHDD3FCQJ1u4vchMzmBFj3NnZicf9mbTmk3PXxpT3a3/
HnLxKcQOg0htWSuObMDo/FontTUoid9WJb7jV6Bia1TNEvSgpfjhahcRKIXhvBTw
7+kmQTtdJmL2o/qvlR3ju+zIDMFHCXIHznlhzkcsHQnRWFU4DAEyGQ4z48rXc46U
BPVQAZwEkE0V8VzfpvwRG4hQ5bOHPvRX1dVFzZGnuoHMyvpqEolkeQYHWFmlxjMx
MEi7oaRAz/cbHwyWmtUd8bjiCcJYy5jF0w2DhQFSi7digjuJc2++tk1vp8touKYA
u3nArG5q37uDSk75DAR5tH/lrwtAgpOJe0C9elBygicvK4Al0vCnc3N5G4zFzUJm
WjrJ3SUuRSPSChbHyvz0
=FF7n
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to