CVE-2011-0534

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.0 through 6.0.30 Apache Tomcat versions 7.0.0 through 7.0.6

Description The issue allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request, due to the NIO HTTP connector not enforcing the maxHttpHeaderSize limit for requests. The NIO connector expands its buffer endlessly during request line processing, which can be used for a denial of service attack.

Recommendations For Apache Tomcat versions 6.0.0 through 6.0.30, consider updating to a version that enforces the maxHttpHeaderSize limit to prevent denial of service attacks. For Apache Tomcat versions 7.0.0 through 7.0.6, consider updating to a version that enforces the maxHttpHeaderSize limit to prevent denial of service attacks. As a temporary workaround, consider restricting the size of HTTP headers to minimize the risk of exploitation.