Tomcat DoS vulnerability addressed

By | January 17, 2012

Posted in: Network Security Trends

Bugtraq has released information about a vulnerability in Apache Tomcat (CVE-2012-0022 Apache Tomcat Denial of Service) that could enable an attacker to launch a denial-of-service attack by using specially crafted requests exhaust CPU capacity. This type of attack involves a specially crafted packet or packets, possibly sent from a single attacker rather than the botnet attacks typical of many distributed denial-of-service (DDoS) attacks, to exploit a particular vulnerability. In some cases, the victim server must be rebooted to bring the server back to normal performance.

This particular vulnerability was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values. The vulnerability is known to affect Tomcat versions 5, 6 and 7, and possibly earlier versions. Users of these three version of Tomcat can correct the vulnerability by applying the appropriate update available from Apache.

You May Also Be Interested In: