[SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat

2011-02-08T00:00:00
ID SECURITYVULNS:DOC:25622
Type securityvulns
Reporter Securityvulns
Modified 2011-02-08T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

The original report is [1].

Tomcat is affected when accessing a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales().

Work-arounds have been implemented in the following versions: - - 7.0.8 (released) - - 6.0.32 (released) - - 5.5.33 (released expected Monday 7 Feb 2011)

All users are recommended to upgrade to a Tomcat version with the work-around. Users unable to upgrade can filter malicious requests via a Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd reverse proxy) or other filtering as available.

Accept-Language headers that are compliant with RFC 2616 can not trigger this bug. Therefore, filtering out all request with non-compliant headers will provide protection against the DOS vulnerability.

The Apache Tomcat Security Team

[1] http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8 c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7 z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc +/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6 OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7 Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf v/8kgZ+3uv6vRb3+wrXH =oxMp -----END PGP SIGNATURE-----