[arch-security] [ASA-201505-8] tomcat6: denial of service

Remi Gacogne rgacogne at archlinux.org
Wed May 13 11:41:17 UTC 2015


Arch Linux Security Advisory ASA-201505-8
=========================================

Severity: Low
Date    : 2015-05-13
CVE-ID  : CVE-2014-0230
Package : tomcat6
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package tomcat6 before version 6.0.44-1 is vulnerable to remote
denial of service.

Resolution
==========

Upgrade to 6.0.44-1.

# pacman -Syu "tomcat6>=6.0.44-1"

The problem has been fixed upstream in version 6.0.44.

Workaround
==========

None.

Description
===========

When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed. There was no limit to the size of request
body that Tomcat would swallow. This permitted a limited Denial of
Service as Tomcat would never close the connection and a processing
thread would remain allocated to the connection.

Impact
======

A remote attacker can cause a denial of service by preventing a large
number of connections from being closed.

References
==========

https://access.redhat.com/security/cve/CVE-2014-0230
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150513/efb854fa/attachment.asc>


More information about the arch-security mailing list