if HTTP request to Apache Tomcat server contains some cookie and cookie value contains character with ascii code larger than 128 result is Error 500 - Internal Server Error.
It's good attack vector for attackers, because one XSS hole is enough to write one cookie with value ¤ (for example), and for that browser this site is not accessible anymore.
Versions affected (tested): 7.0.26 7.0.39 7.0.40
The Tomcat developers do not view the scenario you describe as a Tomcat vulnerability since the vulnerability is the initial XSS and without that this behaviour cannot be exploited by an attacker.
XSS in SOP (Same-Origin-Policy) scope is enough to "turn off" one client. I also asked, how to prevent against that problem.
security perspective there is nothing to add to our previous response."
For details of the changes (planned and implemented) to Tomcat's cookie parsing that may well mitigate the DoS see the dev@ list.
the impact is different from http://www.securityfocus.com/bid/67671/info
they have nothing to add to previous comments.
Description of vulnerable software: Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. [http://tomcat.apache.org/]
Vulnerability: Cookies what contains at least one symbol out of range 0x80 .. 0xff, causing Internal Server Error.
Preconditions: Possibility to send "Set-Cookie" command to victim (browser):
If the victim browser has this kind of cookie, then request from victim's browser cause Internal Server Error a'ka this victim can not use current web page anymore (till it has the cookie)
XSS payload: document.cookie='tommy=cat¤';