It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input early enough. A remote attacker could use this flaw to perform a denial of service attack, by streaming an unlimited quantity of data, leading to consumption of server resources.
Upstream Fix: Tomcat: http://svn.apache.org/viewvc?view=revision&revision=1600984 JBossWeb: https://source.jboss.org/changelog/JBossWeb?cs=2455
Upstream fix for Tomcat 6: https://svn.apache.org/viewvc?view=revision&revision=1603628 Upstream fix for Tomcat 7: https://svn.apache.org/viewvc?view=revision&revision=1601333 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1190821]
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
tomcat-7.0.59-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Tomcat upstream advisories (see comment 18 above) point out additional impact - request smuggling. Tomcat may read next request from the malformed chunked request body, rather than aborting connection as soon as the first encoding issue is detected. Upstream does not indicate where this may have practical impact, as Tomcat accepts multiple requests pipelined in a single connection. It seems this may have impact in deployments where Tomcat is accessed via a reverse proxy that only exposes certain paths / web applications. This may possibly allow bypass of proxy restrictions and allow access to URLs not exposed by the proxy. However, this attack would require proxy to allow malformed requests to be passed to Tomcat.
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0983 https://rhn.redhat.com/errata/RHSA-2015-0983.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0991 https://rhn.redhat.com/errata/RHSA-2015-0991.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html