Bug 1191200 (CVE-2014-0230)

Summary: CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, dandread, darran.lofthouse, dmcphers, epp-bugs, etirelli, fnasser, gnaik, grocha, gvarsami, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, joelsmith, jokerman, jolee, jpallich, jshepherd, krzysztof.daniel, ldimaggi, lgao, lmeyer, mbabacek, mbaluch, mmccomas, mweiler, mwinkler, myarboro, nwallace, pcheung, pslavice, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, soa-p-jira, tcunning, theute, tkirby, ttarrant, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.44, tomcat 7.0.55, tomcat 8.0.9 Doc Type: Bug Fix
Doc Text:
It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:49:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1227592, 1227593, 1236893, 1236899, 1236905, 1236910, 1236915, 1236920, 1259358, 1259359, 1352004    
Bug Blocks: 1191201, 1253310    

Description Vasyl Kaigorodov 2015-02-10 16:38:32 UTC 
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Upstream fix:

http://svn.apache.org/viewvc?view=revision&revision=1603781
http://svn.apache.org/viewvc?view=revision&revision=1603811
http://svn.apache.org/viewvc?view=revision&revision=1609176
http://svn.apache.org/viewvc?view=revision&revision=1659295
Comment 7 Jason Shepherd 2015-06-29 04:21:58 UTC 
I tested this vulnerability against the version of Tomcat6 shipped with RHEL 6.6 and found it to be unaffected. I'm updating the whiteboard to reflect that.
Comment 8 Martin Prpič 2015-06-29 16:47:16 UTC 
External References:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.9
Comment 11 Jason Shepherd 2015-06-30 02:15:32 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1236920]
Comment 13 errata-xmlrpc 2015-08-13 15:29:45 UTC 
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html
Comment 14 errata-xmlrpc 2015-08-13 15:31:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.0

Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html
Comment 19 errata-xmlrpc 2015-12-16 18:21:21 UTC 
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html
Comment 20 errata-xmlrpc 2015-12-16 18:22:02 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660
Comment 21 errata-xmlrpc 2015-12-16 18:22:45 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659
Comment 22 errata-xmlrpc 2016-04-05 20:41:09 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
Comment 23 errata-xmlrpc 2016-04-05 20:42:34 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
Comment 24 errata-xmlrpc 2016-04-05 20:43:39 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 25 errata-xmlrpc 2016-04-05 20:44:42 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 26 errata-xmlrpc 2016-04-05 22:21:01 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
Comment 27 errata-xmlrpc 2016-04-28 17:41:56 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
Comment 28 errata-xmlrpc 2016-04-28 17:42:30 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
Comment 29 Tomas Hoger 2018-09-27 11:47:05 UTC 
The tomcat packages in Red Hat Enterprise Linux 7 were updated to the fixed upstream version via the following erratum, released as part of the Red Hat Enterprise Linux 7.3.

https://access.redhat.com/errata/RHSA-2016:2599