Apache Tomcat denial of service vulnerability(CVE-2 0 1 4-0 2 3 0)-vulnerability warning-the black bar safety net

ID MYHACK58:62201562233
Type myhack58
Reporter 佚名
Modified 2015-05-11T00:00:00


Affected system:

> The Apache Group Tomcat 8.0.0-RC1 – 8.0.8 Apache Group Tomcat 7.0.0 – 7.0.54 Apache Group Tomcat 6.0.0 – 6.0.43


CVE(CAN) ID: CVE-2 0 1 4-0 2 3 0

Apache Tomcat is a popular open source JSP application server program.

Not reading the request body, i.e. the response to the request is returned to the user agent, Tomcat by default will trust the rest of the request body, then processing the connection on the next request. Tomcat to trust the request body size is not limited. Tomcat does close the connection, the processing thread will also remain connected, this can lead to a limited denial of service.

<source: AntBean@secdig >


Manufacturers patch:

The Apache Group

The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:

[1] <http://tomcat.apache.org/security-8.html> [2] <http://tomcat.apache.org/security-7.html> [3] <http://tomcat.apache.org/security-6.html> [4] <http://www.openwall.com/lists/oss-security/2015/04/10/1>