7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.046 Low
EPSS
Percentile
91.7%
Affected system:
> The Apache Group Tomcat 8.0.0-RC1 – 8.0.8
Apache Group Tomcat 7.0.0 – 7.0.54
Apache Group Tomcat 6.0.0 – 6.0.43
Description:
CVE(CAN) ID: CVE-2 0 1 4-0 2 3 0
Apache Tomcat is a popular open source JSP application server program.
Not reading the request body, i.e. the response to the request is returned to the user agent, Tomcat by default will trust the rest of the request body, then processing the connection on the next request. Tomcat to trust the request body size is not limited. Tomcat does close the connection, the processing thread will also remain connected, this can lead to a limited denial of service.
<*source: AntBean@secdig
*>
Recommendations:
Manufacturers patch:
The current vendors have released an upgrade patch to fix this security issue, please go to the manufacturers home page download:
[1] <http://tomcat.apache.org/security-8.html>
[2] <http://tomcat.apache.org/security-7.html>
[3] <http://tomcat.apache.org/security-6.html>
[4] <http://www.openwall.com/lists/oss-security/2015/04/10/1>