[SECURITY] CVE-2012-0022 Apache Tomcat Denial of Service

From: Mark Thomas <markt@apache.org>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: Tomcat Announce List <announce@tomcat.apache.org>,announce@apache.org,Tomcat Developers List <dev@tomcat.apache.org>,full-disclosure@lists.grok.org.uk,bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2012-0022 Apache Tomcat Denial of Service
Date:


CVE-2012-0022 Apache Tomcat Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.22
- Tomcat 6.0.0 to 6.0.33
- Tomcat 5.5.0 to 5.5.34
- Earlier, unsupported versions may also be affected

Description:
Analysis of the recent hash collision vulnerability identified unrelated
inefficiencies with Apache Tomcat's handling of large numbers of
parameters and parameter values. These inefficiencies could allow an
attacker, via a specially crafted request, to cause large amounts of CPU
to be used which in turn could create a denial of service.
The issue was addressed by modifying the Tomcat parameter handling code
to efficiently process large numbers of parameters and parameter values.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.23 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later
- Tomcat 5.5.x users should upgrade to 5.5.35 or later

Credit:
The inefficiencies in handling large numbers of parameters were
identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.