Bug 1191200 (CVE-2014-0230) - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
Summary: CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting a...
Status: NEW
Alias: CVE-2014-0230
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140719,reported=2...
Keywords: Security
Depends On: 1227592 1227593 1236893 1236899 1236905 1236910 1236915 1236920 1259358 1259359 1352004
Blocks: 1191201 1253310
TreeView+ depends on / blocked
 
Reported: 2015-02-10 16:38 UTC by Vasyl Kaigorodov
Modified: 2018-09-27 11:47 UTC (History)
73 users (show)

Fixed In Version: tomcat 6.0.44, tomcat 7.0.55, tomcat 8.0.9
Doc Type: Bug Fix
Doc Text:
It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1621 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update 2015-08-13 19:30:33 UTC
Red Hat Product Errata RHSA-2015:1622 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update 2015-08-13 19:29:23 UTC
Red Hat Product Errata RHSA-2015:2659 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:20:00 UTC
Red Hat Product Errata RHSA-2015:2660 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:47 UTC
Red Hat Product Errata RHSA-2015:2661 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:41 UTC
Red Hat Product Errata RHSA-2016:0595 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:55 UTC
Red Hat Product Errata RHSA-2016:0596 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:39:02 UTC
Red Hat Product Errata RHSA-2016:0597 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 00:38:09 UTC
Red Hat Product Errata RHSA-2016:0598 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security, bug fix, and enhancement update 2016-04-06 00:37:54 UTC
Red Hat Product Errata RHSA-2016:0599 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.7 update 2016-04-06 02:20:53 UTC

Description Vasyl Kaigorodov 2015-02-10 16:38:32 UTC
When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Upstream fix:

http://svn.apache.org/viewvc?view=revision&revision=1603781
http://svn.apache.org/viewvc?view=revision&revision=1603811
http://svn.apache.org/viewvc?view=revision&revision=1609176
http://svn.apache.org/viewvc?view=revision&revision=1659295

Comment 7 Jason Shepherd 2015-06-29 04:21:58 UTC
I tested this vulnerability against the version of Tomcat6 shipped with RHEL 6.6 and found it to be unaffected. I'm updating the whiteboard to reflect that.

Comment 11 Jason Shepherd 2015-06-30 02:15:32 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1236920]

Comment 13 errata-xmlrpc 2015-08-13 15:29:45 UTC
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html

Comment 14 errata-xmlrpc 2015-08-13 15:31:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.0

Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html

Comment 19 errata-xmlrpc 2015-12-16 18:21:21 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html

Comment 20 errata-xmlrpc 2015-12-16 18:22:02 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660

Comment 21 errata-xmlrpc 2015-12-16 18:22:45 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659

Comment 22 errata-xmlrpc 2016-04-05 20:41:09 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0598 https://rhn.redhat.com/errata/RHSA-2016-0598.html

Comment 23 errata-xmlrpc 2016-04-05 20:42:34 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:0597 https://rhn.redhat.com/errata/RHSA-2016-0597.html

Comment 24 errata-xmlrpc 2016-04-05 20:43:39 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 25 errata-xmlrpc 2016-04-05 20:44:42 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Comment 26 errata-xmlrpc 2016-04-05 22:21:01 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0599 https://rhn.redhat.com/errata/RHSA-2016-0599.html

Comment 27 errata-xmlrpc 2016-04-28 17:41:56 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:0596 https://rhn.redhat.com/errata/RHSA-2016-0596.html

Comment 28 errata-xmlrpc 2016-04-28 17:42:30 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2016:0595 https://rhn.redhat.com/errata/RHSA-2016-0595.html

Comment 29 Tomas Hoger 2018-09-27 11:47:05 UTC
The tomcat packages in Red Hat Enterprise Linux 7 were updated to the fixed upstream version via the following erratum, released as part of the Red Hat Enterprise Linux 7.3.

https://access.redhat.com/errata/RHSA-2016:2599


Note You need to log in before you can comment on or make changes to this bug.