A denial of service flaw was found in the way Tomcat's HTTP NIO connector enforced limits on the permitted size of request headers. A remote attacker could use this flaw to trigger an OutOfMemoryError by sending a specially-crafted request with very large headers. This flaw affects all versions of Tomcat up to 6.0.35 [1] and 7.0.27 [2]. [1] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36 [2] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.28 Relevant upstream patches are: Tomcat 6: http://svn.apache.org/viewvc?view=rev&rev=1356208 Tomcat 7: http://svn.apache.org/viewvc?view=rev&rev=1350301
This issue affects the version of the tomcat6 package as shipped with JBoss Enterprise Web Server 1.0.2. -- This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 16 and 17.
Relevant upstream patch for Tomcat 7: [3] http://svn.apache.org/viewvc?view=rev&rev=1350301 Affected Tomcat 7 versions: From 7.0.0 up to 7.0.27.
This issue affects the version of the tomcat package, as shipped with Fedora release of 16. -- This issue did not affect the version of the tomcat package, as shipped with Fedora release of 17 (that version was already updated).
Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 873703]
Created tomcat tracking bugs for this issue Affects: fedora-16 [bug 873707]
This flaw does not affect jbossweb as the NIO connector is not present.
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0265 https://rhn.redhat.com/errata/RHSA-2013-0265.html
This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0266 https://rhn.redhat.com/errata/RHSA-2013-0266.html