CVE-2009-0033

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 4.1.0 through 4.1.39 Apache Tomcat versions 5.5.0 through 5.5.27 Apache Tomcat versions 6.0.0 through 6.0.18

Description The issue allows remote attackers to cause a denial of service, resulting in an application outage, by sending a crafted request with invalid headers via the Java AJP connector when mod jk load balancing is used. This can lead to temporary blocking of connectors that have encountered errors. For instance, an error can occur due to a malformed HTTP Host header. If the connector is part of a mod jk load balancing worker, it will be put into an error state and blocked from use for about one minute, which can be exploited for a denial of service attack using a carefully crafted request.

Recommendations For Apache Tomcat versions 4.1.0 through 4.1.39, consider disabling the Java AJP connector until a patch is available to prevent exploitation. For Apache Tomcat versions 5.5.0 through 5.5.27, restrict access to the mod jk load balancing worker to minimize the risk of denial of service attacks. For Apache Tomcat versions 6.0.0 through 6.0.18, avoid using the Java AJP connector with mod jk load balancing until the issue is resolved.