Bug 237085 (CVE-2005-3510)

Summary: CVE-2005-3510 tomcat DoS
Product: [Other] Security Response Reporter: Mark J. Cox <mjc>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-08 18:03:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 237090, 238402, 390331, 390341, 390351, 390361, 414311, 430730, 430731, 449337, 470236, 470237    
Bug Blocks: 444136    

Description Mark J. Cox 2007-04-19 12:16:02 UTC 
According to http://tomcat.apache.org/security-5.html

Fixed in Apache Tomcat 5.5.13, 5.0.HEAD

Denial of service CVE-2005-3510

The root cause is the relatively expensive calls required to generate the
content for the directory listings. If directory listings are enabled, the
number of files in each directory should be kepp to a minimum. In response to
this issue, directory listings were changed to be disabled by default.
Additionally, a patch has been proposed that would improve performance,
particularly for large directories, by caching directory listings.

Affects: 5.0.0-5.5.30, 5.5.0-5.5.12
Comment 1 Mark J. Cox 2007-04-19 12:16:44 UTC 
(actually this issue was I believe fixed in 5.5.12 not 5.5.13; clarifying with
Tomcat security team)
Comment 2 Mark J. Cox 2007-04-23 11:06:33 UTC 
Advisory text: "Directory listings were enabled by default in Tomcat and it was
found that generating listings of large directories was CPU intensive.  An
attacker could make repeated requests to obtain a directory listing of any
large directory, leading to a denial of service.  (CVE-2005-3510)"
Comment 3 Mark J. Cox 2007-04-23 11:07:59 UTC 
So directory listings were disabled by default in 5.5.13 which mitigates this
issue. Changes were made in 5.5.12 which reduced the effect of this issue (once
the attacker stops making the requests, tomcat will recover, so it's only a
limited DoS)
Comment 9 errata-xmlrpc 2010-08-04 21:32:33 UTC 
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Comment 10 Vincent Danen 2013-05-08 18:03:51 UTC 
Please see https://access.redhat.com/security/cve/CVE-2005-3510 for a list of other products that contain this fix.