MA-164.052009: MyCERT Alert - Apache Tomcat Denial of Service Vulnerability Initial Release: 05 June 2009 1.0 Introduction A critical vulnerability has been identified in Apache Tomcat that may be exploited to cause a denial of service attack. Currently, when Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error. Instead it closes the AJP connection. If this connector is member of a mod_jk load balancing worker, it will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. 2.0 Impact By exploiting this vulnerability, an attacker could cause a denial of service on the Apache Tomcat application that leads the application to crash and inaccessible. 3.0 Affected Products Majority of Apache Tomcat software are vulnerable by this bug. Below is the details list of vulnerable version: - Apache Tomcat 6.0.0 up to 6.0.18
- Apache Tomcat 5.5.0 up to 5.5.27
- Apache Tomcat 4.1.0 up to 4.1.39
4.0 Recommendation Users are recommended to upgrade to: 4.1 Apache Tomcat version 6.0.x 4.2 Apache Tomcat version 5.5.x 4.3 Apache Tomcat version 4.1.x
MyCERT advises users of this product to keep themselves updated with the latest security announcements by the vendor. MyCERT can be reached at: E-mail : mycert@mycert.org.my
Phone : +603 89926969 or 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my 5.0 References |
