CVE-2007-6286

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.11 through 5.5.25 Apache Tomcat versions 6.0.0 through 6.0.15

Description The issue arises when the native APR connector is used, and an empty request is sent to the SSL port. This can cause the handling of a duplicate copy of one of the recent requests, potentially leading to unintended behavior. This can be demonstrated by using netcat to send an empty request to the SSL port and then disconnecting without sending any data.

Recommendations For Apache Tomcat versions 5.5.11 through 5.5.25, consider disabling the native APR connector until a patch is available. For Apache Tomcat versions 6.0.0 through 6.0.15, consider disabling the native APR connector until a patch is available.