Bug 880011 (CVE-2012-5568)
| Summary: | CVE-2012-5568 tomcat: Slowloris denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | jlieskov, mjc, pcheung |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-01-29 00:22:02 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Jorm
2012-11-26 01:14:30 UTC
Statement: This issue affects tomcat and jbossweb as shipped in various Red Hat products. This issue can be mitigated using appropriate firewall configuration, as noted here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750 This issue can also be partially mitigated by configuring an appropriate timeout using the connectionTimeout property for the relevant Connector(s) defined in server.xml, but testing shows that some variants of the attack may still be effective with this configuration. The tomcat project has advised that although this flaw can affect tomcat, there is no good solution available, and the tomcat security team does not consider it a vulnerability in tomcat or plan to release a patch: http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat Related upstream list post: http://mail-archives.apache.org/mod_mbox/tomcat-users/200906.mbox/%3C4A3D0884.5080309@apache.org%3E Slowloris site: http://ha.ckers.org/slowloris/ |