Bug 675338 (CVE-2011-0534)

Summary: CVE-2011-0534 tomcat: remote DoS via NIO connector
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dknox, dwalluck, mschoene, pcheung, pskopek, sochotni, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat6-6.0.24-19.el6_0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-09 09:59:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 674601, 674921, 674922, 675794, 676011    
Bug Blocks:    

Description Vincent Danen 2011-02-04 23:24:31 UTC 
Apache Tomcat 6.0.32 was released [1] to fix, among other things, a security flaw in the NIO connector.  The NIO connector would expand its buffer endlessly while reading in the request line, effectively ignoring the maxHttpHeaderSize setting.  The upstream commit to fix the issue is in r1066313 [2] and there is a corresponding bugzilla entry [3].  By the indications upstream, this only affects Tomcat 6.x and 7.x, although it does not specifically mention that 5.x is not vulnerable.

[1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32
[2] http://svn.apache.org/viewvc?view=revision&revision=1066313
[3] https://issues.apache.org/bugzilla/show_bug.cgi?id=50631
Comment 1 Vincent Danen 2011-02-07 17:11:08 UTC 
The upstream mail sent to the mailing lists has further details on this issue.  It only affects Tomcat 6.0.0 to 6.0.30 and Tomcat 7.0.0 to 7.0.6:

http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0076.html
Comment 2 Vincent Danen 2011-02-07 19:02:43 UTC 
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 675794]
Comment 5 errata-xmlrpc 2011-03-09 20:52:33 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0335 https://rhn.redhat.com/errata/RHSA-2011-0335.html
Comment 6 errata-xmlrpc 2011-03-11 00:38:37 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2011:0348 https://rhn.redhat.com/errata/RHSA-2011-0348.html
Comment 7 errata-xmlrpc 2011-03-11 01:09:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0350 https://rhn.redhat.com/errata/RHSA-2011-0350.html