When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Upstream fix: http://svn.apache.org/viewvc?view=revision&revision=1603781 http://svn.apache.org/viewvc?view=revision&revision=1603811 http://svn.apache.org/viewvc?view=revision&revision=1609176 http://svn.apache.org/viewvc?view=revision&revision=1659295
I tested this vulnerability against the version of Tomcat6 shipped with RHEL 6.6 and found it to be unaffected. I'm updating the whiteboard to reflect that.
External References: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.9
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1236920]
This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.0 Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html
This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html
This issue has been addressed in the following products: Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html
The tomcat packages in Red Hat Enterprise Linux 7 were updated to the fixed upstream version via the following erratum, released as part of the Red Hat Enterprise Linux 7.3. https://access.redhat.com/errata/RHSA-2016:2599