[Japanese]

JVNDB-2009-000037

Apache Tomcat denial of service (DoS) vulnerability

Overview

Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.

Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.

According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.

Yoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial

Affected Products


Apache Software Foundation
  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat 6.0.0 to 6.0.18
VMware
  • VMware ESX 4.0
  • VMware ESX 3.5
  • VMware ESX 3.0.3
  • VMware Server 2.x
  • VMware vCenter 4.0
  • VMware VirtualCenter 2.5
  • VMware VirtualCenter 2.0.2
Apple Inc.
  • Apple Mac OS X Server v10.5.8
  • Apple Mac OS X Server v10.6 through v10.6.2
Sun Microsystems, Inc.
  • OpenSolaris (SPARC)
  • OpenSolaris (x86)
  • Sun Solaris 10 (SPARC)
  • Sun Solaris 10 (x86)
  • Sun Solaris 9 (SPARC)
  • Sun Solaris 9 (x86)
Hewlett-Packard Development Company, L.P
  • HP-UX Tomcat-based Servlet Engine before 5.5.30.01
  • HP-UX 11.11
  • HP-UX 11.23
  • HP-UX 11.31
MIRACLE LINUX CORPORATION
  • Asianux Server 3 for x86
  • Asianux Server 3 for x86-64
  • MIRACLE LINUX V2.0
  • MIRACLE LINUX V2.1
Red Hat, Inc.
  • Red Hat Enterprise Linux (v.5 server)
  • Red Hat Enterprise Linux Desktop (v.5 client)
  • Red Hat Enterprise Linux EUS (v. 5.3.z server)
  • RHEL Desktop Workstation (v.5 client)
NEC Corporation
  • InfoFrame DocumentSkipper

Impact

A remote attacker could possiblly cause a denial of service (DoS) attack by sending a specially crafted request.
Solution

[Update the Software]
For Apache Tomcat 6.0.x:
Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving this vulnerability.
Update to Apache Tomcat 5.5.8 and 4.1.10 once they are released.

[Apply the Patch]
A patch for the respective versions have been released. Apply the appropriate patch if you are not able to update to the latest version.
Vendor Information

Apache Software Foundation VMware Apple Inc.
  • Apple Security Updates : HT4077
Oracle Corporation Sun Microsystems, Inc.
  • Sun Alert Notification : 263529
Hewlett-Packard Development Company, L.P MIRACLE LINUX CORPORATION Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV10-002 (Japanese)
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2009-0033
References

  1. JVN : JVN#87272440
  2. National Vulnerability Database (NVD) : CVE-2009-0033
  3. Secunia Advisory : SA35326
  4. Secunia Advisory : SA35344
  5. SecurityFocus : 35193
  6. ISS X-Force Database : 50928
  7. SecurityTracker : 1022331
  8. VUPEN Security : VUPEN/ADV-2009-1496
Revision History

[2009/06/18]
  Web page published
[2009/08/11]
  Affected Products : Added Sun Microsystems, Inc. (263529).
  Affected Products : Added Red Hat, Inc. (RHSA-2009:1164).
  Vendor Information : Added Sun Microsystems, Inc. (263529).
  Vendor Information : Added Red Hat, Inc. (RHSA-2009:1164).
[2009/10/08]
  Affected Products : Added MIRACLE LINUX CORPORATION  (tomcat5-5.5.23-0jpp.7.2.1AXS3).
  Affected Products : Added MIRACLE LINUX CORPORATION  (1794).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (tomcat5-5.5.23-0jpp.7.2.1AXS3).
  Vendor Information : Added MIRACLE LINUX CORPORATION  (1794).
[2009/11/13]
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02466).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02466).
[2010/01/04]
  Affected Products : Added VMware (VMSA-2009-0016).
  Vendor Information : Added VMware (VMSA-2009-0016).
[2010/04/23]
  Affected Products : Added Apple Inc. (HT4077).
  Affected Products : Added NEC Corporation (NV10-002).
  Vendor Information : Added Apple Inc. (HT4077).
  Vendor Information : Added NEC Corporation (NV10-002).
[2010/12/13]
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPUXWSATW313).
  Affected Products : Added Hewlett-Packard Development Company, L.P (HPSBUX02579).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPUXWSATW313).
  Vendor Information : Added Hewlett-Packard Development Company, L.P (HPSBUX02579).
[2012/09/28]
  Vendor Information : Added Oracle Corporation (Multiple vulnerabilities in Oracle Java Web Console).