Bug 493381 - (CVE-2009-0033) CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
Pavel Kralik
impact=important,source=jpcert,public...
: Security
Depends On: 574565 503980 503981 504113 504115 528911 528912 528913 528914 533903 533905 574566
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-01 11:54 EDT by Marc Schoenefeld
Modified: 2013-04-30 19:32 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-25 16:10:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 Marc Schoenefeld 2009-06-03 12:05:12 EDT
If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request.
Comment 4 Marc Schoenefeld 2009-06-03 12:53:53 EDT
Patchset for tomcat6: http://svn.apache.org/viewvc?view=rev&revision=742915
Patchset for tomcat5: http://svn.apache.org/viewvc?view=rev&revision=781362
Comment 7 errata-xmlrpc 2009-07-21 16:56:36 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html
Comment 8 errata-xmlrpc 2009-09-21 11:51:49 EDT
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html
Comment 12 errata-xmlrpc 2009-10-14 12:15:18 EDT
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5
  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1506 https://rhn.redhat.com/errata/RHSA-2009-1506.html
Comment 13 errata-xmlrpc 2009-11-09 10:26:26 EST
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html
Comment 14 errata-xmlrpc 2009-11-09 10:37:34 EST
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html
Comment 20 errata-xmlrpc 2009-11-30 10:16:14 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html
Comment 21 errata-xmlrpc 2009-11-30 10:18:10 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1617 https://rhn.redhat.com/errata/RHSA-2009-1617.html
Comment 24 errata-xmlrpc 2010-08-04 17:30:52 EDT
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html
Comment 25 Kurt Seifried 2011-10-25 16:10:14 EDT
All children bugs are closed, closing parent bug

Note You need to log in before you can comment on or make changes to this bug.