CVE-2010-2227

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.29 Apache Tomcat versions 6.0.0 through 6.0.27

Description The issue arises from improper handling of an invalid Transfer-Encoding header, allowing remote attackers to cause a denial of service or obtain sensitive information by interfering with the recycling of a buffer. This can be triggered by a crafted header, leading to subsequent requests failing and/or information leaking between requests. The presence of a reverse proxy, such as Apache httpd 2.2, can mitigate this flaw as it should reject the invalid transfer encoding header.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.29, consider updating to a version that properly handles the Transfer-Encoding header to prevent denial of service and information leakage. For Apache Tomcat versions 6.0.0 through 6.0.27, consider updating to a version that properly handles the Transfer-Encoding header to prevent denial of service and information leakage. As a temporary workaround, consider placing Tomcat behind a reverse proxy, such as Apache httpd 2.2, to reject invalid transfer encoding headers and minimize the risk of exploitation.