Bug 493381 (CVE-2009-0033)

Summary: CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Pavel Kralik <pkralik>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dknox, dwalluck, fnasser, jscotka, kreilly, kseifried, mjc, mvecera, pkralik, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-25 20:10:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 503980, 503981, 504113, 504115, 528911, 528912, 528913, 528914, 533903, 533905, 574565, 574566    
Bug Blocks:    

Comment 2 Marc Schoenefeld 2009-06-03 16:05:12 UTC 
If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request.
Comment 4 Marc Schoenefeld 2009-06-03 16:53:53 UTC 
Patchset for tomcat6: http://svn.apache.org/viewvc?view=rev&revision=742915
Patchset for tomcat5: http://svn.apache.org/viewvc?view=rev&revision=781362
Comment 7 errata-xmlrpc 2009-07-21 20:56:36 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 8 errata-xmlrpc 2009-09-21 15:51:49 UTC 
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html
Comment 12 errata-xmlrpc 2009-10-14 16:15:18 UTC 
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5
  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1506 https://rhn.redhat.com/errata/RHSA-2009-1506.html
Comment 13 errata-xmlrpc 2009-11-09 15:26:26 UTC 
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 14 errata-xmlrpc 2009-11-09 15:37:34 UTC 
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html
Comment 20 errata-xmlrpc 2009-11-30 15:16:14 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html
Comment 21 errata-xmlrpc 2009-11-30 15:18:10 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1617 https://rhn.redhat.com/errata/RHSA-2009-1617.html
Comment 24 errata-xmlrpc 2010-08-04 21:30:52 UTC 
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Comment 25 Kurt Seifried 2011-10-25 20:10:14 UTC 
All children bugs are closed, closing parent bug