PT-2014-3548 · Apache+4 · Apache Tomcat+4

Published

2014-06-24

Updated

2022-05-14

CVE-2014-0230

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.x through 6.0.43 Apache Tomcat versions 7.x through 7.0.54 Apache Tomcat versions 8.x through 8.0.8

Description The issue arises when an HTTP response occurs before the entire request body has been read, allowing remote attackers to cause a denial of service by consuming threads through a series of aborted upload attempts. By default, Tomcat swallows the remaining request body so that the next request on the connection may be processed, but there was no limit to the size of the request body that Tomcat would swallow, permitting a limited Denial of Service.

Recommendations For Apache Tomcat version 6.x, update to version 6.0.44 or later. For Apache Tomcat version 7.x, update to version 7.0.55 or later. For Apache Tomcat version 8.x, update to version 8.0.9 or later.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-400

Related Identifiers

CESA-2016_2599

CVE-2014-0230

DLA-232-1

DSA-3447-1

DSA-3530-1

GHSA-PXCX-CXQ8-4MMW

RHSA-2015:1622

RHSA-2015:2659

RHSA-2015:2660

RHSA-2016:0595

RHSA-2016:0596

RHSA-2016:0597

RHSA-2016:0598

RHSA-2016:2599

RHSA-2016_2599

SUSE-SU-2015:1565-1

USN-2654-1

USN-2655-1

Affected Products

Apache Tomcat

Centos

Red Hat

Suse

Ubuntu

PT-2014-3548 · Apache+4 · Apache Tomcat+4

CVE-2014-0230

Weakness Enumeration

Related Identifiers

Affected Products

References · 83