Published:2009/06/09  Last Updated:2015/10/21

JVN#87272440
Apache Tomcat denial of service (DoS) vulnerability

Overview

Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.

Products Affected

  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat 6.0.0 to 6.0.18
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.

Description

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.

Impact

A remote attacker could possiblly cause a denial of service (DoS) attack by sending a specially crafted request.

Solution

Update the Software

Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving this vulnerability.
Update to Apache Tomcat 5.5.28 and 4.1.10 once they are released.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Not Vulnerable 2009/06/09
FUJITSU LIMITED Vulnerable 2015/10/09
Hitachi Not Vulnerable 2009/06/14
NEC Corporation Not Vulnerable 2010/04/05

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.06.09

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Yoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2009-0033
JVN iPedia JVNDB-2009-000037

Update History

2015/10/21
FUJITSU LIMITED update status