|
Vulnerability Note VU#204710
Apache Tomcat fails to properly handle certain requests
Overview
Apache Tomcat does not properly handle certain types of requests allowing a remote attacker to cause a denial-of-service condition.
I. Description
Apache Tomcat is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Tomcat uses the AJP12 protocol (on TCP 8007 by default) for Servlet/JSP communication. A flaw in Tomcat's implemetation of the AJP12 protocol may allow a remote attacker to cause Tomcat to stop processing requests. If a remote attacker sends Tomcat a specially crafted request, that attacker may be able to force Tomcat to stop processing all subsequent requests.
Please note that this vulnerability was reported in Tomcat version 3.x.
II. Impact
By sending Tomcat a specially crafted request, a remote attacker may be able to cause a denial-of-service condition.
III. Solution
Upgrade Tomcat
Upgrading to Tomcat version 5.x will correct this issue.
Systems Affected
Vendor Status Date Updated
Apache Vulnerable 1-Mar-2005
Hitachi Vulnerable 10-Mar-2005
References
Credit
We thank HIRT (Hitachi Incident Response Team) for reporting this vulnerability.
This document was written by Jeff Gennari.
Other Information
Date Public 03/14/2005
Date First Published 03/14/2005 10:06:34 AM
Date Last Updated 03/14/2005
CERT Advisory
CVE Name
Metric .69
Document Revision 29
If you have feedback, comments, or additional information about this vulnerability, please send us email.
|
