Bug 961783 - (CVE-2012-3544) CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter
CVE-2012-3544 tomcat: Limited DoS in chunked transfer encoding input filter
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130510,repor...
: Security
Depends On: 961807 963090 963091 963092 963093 963094
Blocks: 959037 961808
  Show dependency treegraph
 
Reported: 2013-05-10 07:34 EDT by Jan Lieskovsky
Modified: 2015-07-31 07:57 EDT (History)
12 users (show)

See Also:
Fixed In Version: Apache Tomcat 6.0.37, Apache Tomcat 7.0.30
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-03 14:09:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-05-10 07:34:32 EDT
A denial of service flaw was found in the way chunked transfer encoding input filter of Apache Tomcat, an Apache Servlet/JSP Engine, processed CRLF sequences at the end of data chunks in certain circumstances. When the chunked transfer encoding was enabled, a remote attacker could issue a specially-crafted request that, when processed would lead to (limited) denial of service of the Apache Tomcat server.

Relevant upstream patch:
* for Apache Tomcat 6.x:
  http://svn.apache.org/viewvc?view=revision&revision=1476592 

* for Apache Tomcat 7:x:
  http://svn.apache.org/viewvc?view=rev&rev=1378702
  http://svn.apache.org/viewvc?view=rev&rev=1378921
Comment 1 Jan Lieskovsky 2013-05-10 08:57:10 EDT
This issue did NOT affect the versions of the tomcat package, as shipped with Fedora release of 17 and 18 (the current versions already contain aforementioned upstream patch).

--

This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-05-10 09:04:48 EDT
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 961807]
Comment 5 David Jorm 2013-05-16 19:22:19 EDT
Statement:

This flaw affects Apache Tomcat 6.0.30 - 6.0.36 and 7.0.0 - 7.0.29. It does not affect JBoss Web.
Comment 11 errata-xmlrpc 2013-07-03 11:49:48 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 6

Via RHSA-2013:1012 https://rhn.redhat.com/errata/RHSA-2013-1012.html
Comment 12 errata-xmlrpc 2013-07-03 11:51:37 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5

Via RHSA-2013:1011 https://rhn.redhat.com/errata/RHSA-2013-1011.html
Comment 13 errata-xmlrpc 2013-07-03 12:22:48 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html

Note You need to log in before you can comment on or make changes to this bug.