Apache Tomcat fails to properly handle certain requests

2005-03-14T00:00:00
ID VU:204710
Type cert
Reporter CERT
Modified 2007-05-16T00:00:00

Description

Overview

Apache Tomcat does not properly handle certain types of requests allowing a remote attacker to cause a denial of service.

Description

Apache Tomcat is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Tomcat uses the AJP12 protocol (on TCP 8007 by default) for Servlet/JSP communication. A flaw in Tomcat's implemetation of the AJP12 protocol may allow a remote attacker to cause Tomcat to stop processing requests. If a remote attacker sends Tomcat a specially crafted request, that attacker may be able to force Tomcat to stop processing all subsequent requests.

Please note that this vulnerability was reported in Tomcat version 3.x.


Impact

By sending Tomcat a specially crafted request, a remote attacker may be able to cause a denial of service.


Solution

Upgrade Tomcat

Upgrading to Tomcat version 5.x will correct this issue.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apache| | 20 Jan 2005| 01 Mar 2005
Hitachi| | -| 10 Mar 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • None

Credit

We thank HIRT (Hitachi Incident Response Team) for reporting this vulnerability.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: Unknown
  • Date Public: 14 Mar 2005
  • Date First Published: 14 Mar 2005
  • Date Last Updated: 16 May 2007
  • Severity Metric: 0.69
  • Document Revision: 34