JVN#87272440
Apache Tomcat denial of service (DoS) vulnerability
Overview
Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.
Products Affected
- Apache Tomcat 4.1.0 to 4.1.39
- Apache Tomcat 5.5.0 to 5.5.27
- Apache Tomcat 6.0.0 to 6.0.18
For more information, refer to the developer's website.
Description
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.
Impact
A remote attacker could possiblly cause a denial of service (DoS) attack by sending a specially crafted request.
Solution
Update the Software
Update to Apache Tomcat 6.0.20 according to the information provided by the developer.
For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving this vulnerability.
Update to Apache Tomcat 5.5.28 and 4.1.10 once they are released.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| BUFFALO INC. | Not Vulnerable | 2009/06/09 | |
| FUJITSU LIMITED | Vulnerable | 2015/10/09 | |
| Hitachi | Not Vulnerable | 2009/06/14 | |
| NEC Corporation | Not Vulnerable | 2010/04/05 |
| Vendor | Link |
| Apache Tomcat | Security Updates |
| Apache Tomcat 6.x vulnerabilities(CVE-2009-0033) |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2009.06.09
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Yoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2009-0033 |
| JVN iPedia |
JVNDB-2009-000037 |
Update History
- 2015/10/21
- FUJITSU LIMITED update status