Josh Spiewak

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 6.0.0 through 6.0.35 Apache Tomcat versions 7.0.0 through 7.0.27 **Description** The issue is related to the HTTP NIO connector, where the request-header size is not properly restricted. This allows remote attackers to cause a denial of service by consuming memory via a large amount of header data. The checks that limited the permitted size of request headers were implemented too late in the request parsing process, enabling a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. **Recommendations** For Apache Tomcat versions 6.0.0 through 6.0.35, update to version 6.0.36 or later. For Apache Tomcat versions 7.0.0 through 7.0.27, update to version 7.0.28 or later.