According to http://tomcat.apache.org/security-5.html
Fixed in Apache Tomcat 5.5.13, 5.0.HEAD
Denial of service CVE-2005-3510
The root cause is the relatively expensive calls required to generate the
content for the directory listings. If directory listings are enabled, the
number of files in each directory should be kepp to a minimum. In response to
this issue, directory listings were changed to be disabled by default.
Additionally, a patch has been proposed that would improve performance,
particularly for large directories, by caching directory listings.
Affects: 5.0.0-5.5.30, 5.5.0-5.5.12
(actually this issue was I believe fixed in 5.5.12 not 5.5.13; clarifying with
Tomcat security team)
Advisory text: "Directory listings were enabled by default in Tomcat and it was
found that generating listings of large directories was CPU intensive. An
attacker could make repeated requests to obtain a directory listing of any
large directory, leading to a denial of service. (CVE-2005-3510)"
So directory listings were disabled by default in 5.5.13 which mitigates this
issue. Changes were made in 5.5.12 which reduced the effect of this issue (once
the attacker stops making the requests, tomcat will recover, so it's only a
This issue has been addressed in following products:
Red Hat Certificate System 7.3
Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Please see https://access.redhat.com/security/cve/CVE-2005-3510 for a list of other products that contain this fix.