Bug 961783 (CVE-2012-3544)

Summary: CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akurtako, djorm, dknox, dwalluck, ivan.afonichev, java-sig-commits, jrusnack, kdaniel, lgao, mhasko, sochotni, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Apache Tomcat 6.0.37, Apache Tomcat 7.0.30 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-03 18:09:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 961807, 963090, 963091, 963092, 963093, 963094    
Bug Blocks: 959037, 961808    

Description Jan Lieskovsky 2013-05-10 11:34:32 UTC 
A denial of service flaw was found in the way chunked transfer encoding input filter of Apache Tomcat, an Apache Servlet/JSP Engine, processed CRLF sequences at the end of data chunks in certain circumstances. When the chunked transfer encoding was enabled, a remote attacker could issue a specially-crafted request that, when processed would lead to (limited) denial of service of the Apache Tomcat server.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1476592 

* for Apache Tomcat 7:x:
  http://svn.apache.org/viewvc?view=rev&rev=1378702
  http://svn.apache.org/viewvc?view=rev&rev=1378921
Comment 1 Jan Lieskovsky 2013-05-10 12:57:10 UTC 
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch).

--

This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-05-10 13:04:48 UTC 
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 961807]
Comment 5 David Jorm 2013-05-16 23:22:19 UTC 
Statement:

This flaw affects Apache Tomcat 6.0.30 - 6.0.36 and 7.0.0 - 7.0.29. It does not affect JBoss Web.
Comment 11 errata-xmlrpc 2013-07-03 15:49:48 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html
Comment 12 errata-xmlrpc 2013-07-03 15:51:37 UTC 
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html
Comment 13 errata-xmlrpc 2013-07-03 16:22:48 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html