You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2011/02/05 03:05:28 UTC
[SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The original report is [1].
Tomcat is affected when accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().
Work-arounds have been implemented in the following versions:
- - 7.0.8 (released)
- - 6.0.32 (released)
- - 5.5.33 (released expected Monday 7 Feb 2011)
All users are recommended to upgrade to a Tomcat version with the
work-around. Users unable to upgrade can filter malicious requests via a
Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
reverse proxy) or other filtering as available.
Accept-Language headers that are compliant with RFC 2616 can not trigger
this bug. Therefore, filtering out all request with non-compliant
headers will provide protection against the DOS vulnerability.
The Apache Tomcat Security Team
[1]
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8
c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7
z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc
+/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm
unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6
OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D
GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg
Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o
FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT
njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7
Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf
v/8kgZ+3uv6vRb3+wrXH
=oxMp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: announce-unsubscribe@apache.org
For additional commands, e-mail: announce-help@apache.org
Re: [SECURITY] Oracle JVM bug causes denial of service in Apache
Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 2/8/2011 5:32 PM, Christopher Schultz wrote:
> All,
>
> On 2/4/2011 9:05 PM, Mark Thomas wrote:
>> All users are recommended to upgrade to a Tomcat version with the
>> work-around. Users unable to upgrade can filter malicious requests via a
>> Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
>> reverse proxy) or other filtering as available.
>
> For those who might need a bit of help implementing a workaround, here
> is one that uses mod_rewrite to kill these kinds of requests:
>
> RewriteCond "%{HTTP:Accept-Language}" "q=[0-9.]{10,}"
> RewriteRule .* / [L,E=no-jk:1,R=400]
If mod_rewrite isn't your style, you can also use SetEnvIf:
SetEnvIf "Accept-Language" "q=[0-9.]{10,}" no-jk=1
This will likely result in a 404 response to the client, but at least
the request will not be sent to Tomcat.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RxjwACgkQ9CaO5/Lv0PB1UwCggDvGoXmCBMFQY5hpvE+rzbgD
eiUAoJ6z507Co0cJ3EHnZN0OsRRWHMDL
=OcRo
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] Oracle JVM bug causes denial of service in Apache
Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 2/4/2011 9:05 PM, Mark Thomas wrote:
> All users are recommended to upgrade to a Tomcat version with the
> work-around. Users unable to upgrade can filter malicious requests via a
> Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
> reverse proxy) or other filtering as available.
For those who might need a bit of help implementing a workaround, here
is one that uses mod_rewrite to kill these kinds of requests:
RewriteCond "%{HTTP:Accept-Language}" "q=[0-9.]{10,}"
RewriteRule .* / [L,E=no-jk:1,R=400]
I chose "10" arbitrarily as the cutoff for the quality indicator, and
"400 Bad Request" as the response. Technically, this is a redirect but
it relies with a 400 status code. I also have the "no-jk" environment
variable set which will cause mod_jk to ignore such requests. It's not
really necessary, but it doesn't hurt.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk1RxGoACgkQ9CaO5/Lv0PB4YgCfThXixGpMpteEtfiS5OLYTJ0m
aa0AoK41TD8WN7axo/glJqKKHbPp2JeT
=EoY2
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org