JVN#87272440: Apache Tomcat denial of service (DoS) vulnerability

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.

Impact

A remote attacker could possiblly cause a denial of service (DoS) attack by sending a specially crafted request.

Solution

Update the Software

Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving this vulnerability.
Update to Apache Tomcat 5.5.28 and 4.1.10 once they are released.

Products Affected

• Apache Tomcat 4.1.0 to 4.1.39
• Apache Tomcat 5.5.0 to 5.5.27
• Apache Tomcat 6.0.0 to 6.0.18
  According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
  For more information, refer to the developer’s website.