Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.
A remote attacker could possiblly cause a denial of service (DoS) attack by sending a specially crafted request.
Update the Software
Update to Apache Tomcat 6.0.20 according to the information provided by the developer.
For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving this vulnerability.
Update to Apache Tomcat 5.5.28 and 4.1.10 once they are released.
## Products Affected