You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2012/12/04 20:47:38 UTC
CVE-2012-4534 Apache Tomcat denial of service
CVE-2012-4534 Apache Tomcat denial of service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35
Description:
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service. This was originally reported
as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.28 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later
Credit:
The security implications of this bug were identified by Arun Neelicattu
of the Red Hat Security Response Team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
Re: CVE-2012-4534 Apache Tomcat denial of service
Posted by Stephen Caine <st...@commongrnd.com>.
Jim,
Check your Tomcat version.
http://localhost:8080/
Stephen
On Dec 4, 2012, at 2:47 PM, Mark Thomas <ma...@apache.org> wrote:
> CVE-2012-4534 Apache Tomcat denial of service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Tomcat 7.0.0 to 7.0.27
> - Tomcat 6.0.0 to 6.0.35
>
> Description:
> When using the NIO connector with sendfile and HTTPS enabled, if a
> client breaks the connection while reading the response an infinite loop
> is entered leading to a denial of service. This was originally reported
> as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858.
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Tomcat 7.0.x users should upgrade to 7.0.28 or later
> - Tomcat 6.0.x users should upgrade to 6.0.36 or later
>
> Credit:
> The security implications of this bug were identified by Arun Neelicattu
> of the Red Hat Security Response Team.
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org