tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: Question about CVE-2009-0033 DOS vulnerability
Date Thu, 09 Jul 2009 20:59:02 GMT
On 09.07.2009 22:40, Swapan Gupta wrote:
> I have a question about the applicability of the
> CVE-2009-0033<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033>DoS
> vulnerability in Tomcat 5.5.x.
> 
> I have come across the description of the vulnerability at multiple places,
> but at most of the places it is mentioned that this vulnerability is
> applicable when the Java AJP connector (inside Tomcat) and the mod_jk
> loadbalancing (in Apache) is used.
> 
> Can someone please confirm if this vulnerability be applicable even in the
> scenario where I have a single AJP connector configured with mod_jk? I do
> not have the mod_jk configured in a load balancing mode to multiple AJP
> connector ports on Tomcat. I just have a single worker defined in the
> worker.properties file.
> 
> Appreciate any quick responses which could help in making this
> determination.

The description is right, the problem only applies if a load balancer is
used.

The load balancer tries to detect errors of the balanced nodes and if it
finds one, it takes the node out of balancing for some time. So if an
attacker finds a way for a node to behave like it has a problem, it will
be taken out of balancing resulting in denial of service for this node.

This reduces the size of your balanced farm, and if you e.g. have 4
nodes and someone manages to remotely trigger an error situation for
three of them, the remaining node might get overwhelmed by the full load
and also die.

The load balancer itself will never take all nodes out of the balancing.
So if you use a balancer with only one node (because of the advanced
management capabilities of the balancer), the above security problem
will also not apply.

As I said, even with more nodes, you will never loose all nodes, but
only having one node left over might not be enough due to load.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message