You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/05/27 14:46:24 UTC
[SECURITY] CVE-2014-0095 Apache Tomcat denial of service
CVE-2014-0095 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC2 to 8.0.3
Description:
A regression was introduced in revision 1519838 that caused AJP
requests to hang if an explicit content length of zero was set on the
request. The hanging request consumed a request processing thread which
could lead to a denial of service.
Mitigation:
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
(8.0.4 contains the fix but was not released)
Credit:
This issue was reported as a possible bug via the Tomcat users mailing
list and the security implications were identified by theTomcat security
team.
References:
[1] http://tomcat.apache.org/security-8.html
Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/14, 2:41 PM, Christopher Schultz wrote:
> All,
>
> On 5/27/14, 8:46 AM, Mark Thomas wrote:
>> CVE-2014-0095 Denial of Service
>
>> Severity: Important
>
>> Vendor: The Apache Software Foundation
>
>> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
>
>> Description: A regression was introduced in revision 1519838
>> that caused AJP requests to hang if an explicit content length of
>> zero was set on the request. The hanging request consumed a
>> request processing thread which could lead to a denial of
>> service.
>
>> Mitigation: Users of affected versions should apply one of the
>> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later
>> (8.0.4 contains the fix but was not released)
>
> Alternate mitigation:
>
> SetEnvIf "Content-Length" "^0$" no-jk=1
After a bit of testing, I can see that clients will often send
Content-Length: 0 for a POST request that in fact has no form data
(e.g. all fields are DISABLED or there simply are no child <input>
elements for a form). Beware, as this may have an adverse impact on
your web application if you have used the above mitigation: Tomcat
will never see these form submissions and clients will likely get a
404 error.
Apologies for the bad advice.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTh28EAAoJEBzwKT+lPKRYrOEQAKkgB6psAONqCqftqjaqLCy2
uY4HgaZpp1znhpju5Lavzib/3eDMewb43ge9FlUEpkkpa1wGazej0k8rlQw1Blsd
9YdHY5/nMhyF09B3qj8pocF+V5TWq0faqsb64XntHArS29Q5/iCFchPSwGP6YlMD
S4iULE61YZj5tkVT+QSJoU/Q0AhdBLyIb2gpvNHF+qrJE+EqvCY7ticuUh0YiwuM
nCmszteNJb9EW+AdC6rbeAxT7QlZcE2krLWNjf75NZOP42+GlRnBi2BuP/v/FSAV
h8XNxFw/361/mGgeZG0olE+Dniv/4BY5JXX7CoSj0oYtn3UzabVY9WoUSqlMoKUB
1NXQRGm3+pVLSKtf1EJCnH2MJP2MRAw4GXTlOUxZLGJqUvcYZ0ih5TJAwKE6f19n
Y+jyfddKbKYTwz2Muxcj4AYFPmQnXsD6eq5R/ziAxBz3rzX8wCYw2eS+O2QGRzy0
52RnFmzDKcIaZTN5LPvGvNcmWOMQEB2+mPwjkBOXv/jb5MEqMdruqGtkeAtjRJ/a
dAPdpJb8DBBIfle68AW4rhsPvIHTOc5a7wlQjyr3VOLztKfaI8dOZD0jM0LN/mwH
3Be7/zBCnNuN4UpzBCZPfQRHKBRReAUfNepIBZA4yOpTqMhk1SJlqlNQ/u2tPFVZ
ihkIIQrRyi5jb3CUrDNq
=aNQ4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/14, 2:41 PM, Christopher Schultz wrote:
> All,
>
> On 5/27/14, 8:46 AM, Mark Thomas wrote:
>> CVE-2014-0095 Denial of Service
>
>> Severity: Important
>
>> Vendor: The Apache Software Foundation
>
>> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
>
>> Description: A regression was introduced in revision 1519838
>> that caused AJP requests to hang if an explicit content length of
>> zero was set on the request. The hanging request consumed a
>> request processing thread which could lead to a denial of
>> service.
>
>> Mitigation: Users of affected versions should apply one of the
>> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later
>> (8.0.4 contains the fix but was not released)
>
> Alternate mitigation:
>
> SetEnvIf "Content-Length" "^0$" no-jk=1
After a bit of testing, I can see that clients will often send
Content-Length: 0 for a POST request that in fact has no form data
(e.g. all fields are DISABLED or there simply are no child <input>
elements for a form). Beware, as this may have an adverse impact on
your web application if you have used the above mitigation: Tomcat
will never see these form submissions and clients will likely get a
404 error.
Apologies for the bad advice.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTh28EAAoJEBzwKT+lPKRYrOEQAKkgB6psAONqCqftqjaqLCy2
uY4HgaZpp1znhpju5Lavzib/3eDMewb43ge9FlUEpkkpa1wGazej0k8rlQw1Blsd
9YdHY5/nMhyF09B3qj8pocF+V5TWq0faqsb64XntHArS29Q5/iCFchPSwGP6YlMD
S4iULE61YZj5tkVT+QSJoU/Q0AhdBLyIb2gpvNHF+qrJE+EqvCY7ticuUh0YiwuM
nCmszteNJb9EW+AdC6rbeAxT7QlZcE2krLWNjf75NZOP42+GlRnBi2BuP/v/FSAV
h8XNxFw/361/mGgeZG0olE+Dniv/4BY5JXX7CoSj0oYtn3UzabVY9WoUSqlMoKUB
1NXQRGm3+pVLSKtf1EJCnH2MJP2MRAw4GXTlOUxZLGJqUvcYZ0ih5TJAwKE6f19n
Y+jyfddKbKYTwz2Muxcj4AYFPmQnXsD6eq5R/ziAxBz3rzX8wCYw2eS+O2QGRzy0
52RnFmzDKcIaZTN5LPvGvNcmWOMQEB2+mPwjkBOXv/jb5MEqMdruqGtkeAtjRJ/a
dAPdpJb8DBBIfle68AW4rhsPvIHTOc5a7wlQjyr3VOLztKfaI8dOZD0jM0LN/mwH
3Be7/zBCnNuN4UpzBCZPfQRHKBRReAUfNepIBZA4yOpTqMhk1SJlqlNQ/u2tPFVZ
ihkIIQrRyi5jb3CUrDNq
=aNQ4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0095 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
>
> Description: A regression was introduced in revision 1519838 that
> caused AJP requests to hang if an explicit content length of zero
> was set on the request. The hanging request consumed a request
> processing thread which could lead to a denial of service.
>
> Mitigation: Users of affected versions should apply one of the
> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later
> (8.0.4 contains the fix but was not released)
Alternate mitigation:
SetEnvIf "Content-Length" "^0$" no-jk=1
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJThNxLAAoJEBzwKT+lPKRYUAQP/jG3mbXNsti249+OTkXldsiZ
uRb9daxgArTH3HaOH9YuL/TPbq6cwOhDlHbIRDFzAEZFpyKySbGBkmpkBdeYUTLX
qWWU4IZIGuK8uUysopZ9nohxzi3JghrkE3kSrrUcCGUjmqX1i+MMy/eCdqvOZzxE
PlCvCIkQpyCdyodUlW8LmKiofc9/FUEn/820orm+BzMyMTJgZLbxyGtOKPcJkyQA
ib/Lky2EmLcP1q/RjlI5ACeFubxNVmdu2Vy4KWkjZQLfVqc4AcBcbDy4INYK+RPs
hA2iwctSBul5RXuHcKEJOHDD3FCQJ1u4vchMzmBFj3NnZicf9mbTmk3PXxpT3a3/
HnLxKcQOg0htWSuObMDo/FontTUoid9WJb7jV6Bia1TNEvSgpfjhahcRKIXhvBTw
7+kmQTtdJmL2o/qvlR3ju+zIDMFHCXIHznlhzkcsHQnRWFU4DAEyGQ4z48rXc46U
BPVQAZwEkE0V8VzfpvwRG4hQ5bOHPvRX1dVFzZGnuoHMyvpqEolkeQYHWFmlxjMx
MEi7oaRAz/cbHwyWmtUd8bjiCcJYy5jF0w2DhQFSi7digjuJc2++tk1vp8touKYA
u3nArG5q37uDSk75DAR5tH/lrwtAgpOJe0C9elBygicvK4Al0vCnc3N5G4zFzUJm
WjrJ3SUuRSPSChbHyvz0
=FF7n
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0095 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
>
> Description: A regression was introduced in revision 1519838 that
> caused AJP requests to hang if an explicit content length of zero
> was set on the request. The hanging request consumed a request
> processing thread which could lead to a denial of service.
>
> Mitigation: Users of affected versions should apply one of the
> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later
> (8.0.4 contains the fix but was not released)
Alternate mitigation:
SetEnvIf "Content-Length" "^0$" no-jk=1
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJThNxLAAoJEBzwKT+lPKRYUAQP/jG3mbXNsti249+OTkXldsiZ
uRb9daxgArTH3HaOH9YuL/TPbq6cwOhDlHbIRDFzAEZFpyKySbGBkmpkBdeYUTLX
qWWU4IZIGuK8uUysopZ9nohxzi3JghrkE3kSrrUcCGUjmqX1i+MMy/eCdqvOZzxE
PlCvCIkQpyCdyodUlW8LmKiofc9/FUEn/820orm+BzMyMTJgZLbxyGtOKPcJkyQA
ib/Lky2EmLcP1q/RjlI5ACeFubxNVmdu2Vy4KWkjZQLfVqc4AcBcbDy4INYK+RPs
hA2iwctSBul5RXuHcKEJOHDD3FCQJ1u4vchMzmBFj3NnZicf9mbTmk3PXxpT3a3/
HnLxKcQOg0htWSuObMDo/FontTUoid9WJb7jV6Bia1TNEvSgpfjhahcRKIXhvBTw
7+kmQTtdJmL2o/qvlR3ju+zIDMFHCXIHznlhzkcsHQnRWFU4DAEyGQ4z48rXc46U
BPVQAZwEkE0V8VzfpvwRG4hQ5bOHPvRX1dVFzZGnuoHMyvpqEolkeQYHWFmlxjMx
MEi7oaRAz/cbHwyWmtUd8bjiCcJYy5jF0w2DhQFSi7digjuJc2++tk1vp8touKYA
u3nArG5q37uDSk75DAR5tH/lrwtAgpOJe0C9elBygicvK4Al0vCnc3N5G4zFzUJm
WjrJ3SUuRSPSChbHyvz0
=FF7n
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org