tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Swapan Gupta <swapan.gu...@gmail.com>
Subject Re: Question about CVE-2009-0033 DOS vulnerability
Date Thu, 09 Jul 2009 21:06:52 GMT
ok, so that means if I have a single worker operating, I will not reach to a
situation wherein because of exploitation of this vulnerability my single
worker-AJP Connector combination runs out of connections to operate.
Is that a fair statement?

Thanks in advance,
Swapan



On Thu, Jul 9, 2009 at 4:59 PM, Rainer Jung <rainer.jung@kippdata.de> wrote:

> On 09.07.2009 22:40, Swapan Gupta wrote:
> > I have a question about the applicability of the
> > CVE-2009-0033<
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033>DoS
>  > vulnerability in Tomcat 5.5.x.
> >
> > I have come across the description of the vulnerability at multiple
> places,
> > but at most of the places it is mentioned that this vulnerability is
> > applicable when the Java AJP connector (inside Tomcat) and the mod_jk
> > loadbalancing (in Apache) is used.
> >
> > Can someone please confirm if this vulnerability be applicable even in
> the
> > scenario where I have a single AJP connector configured with mod_jk? I do
> > not have the mod_jk configured in a load balancing mode to multiple AJP
> > connector ports on Tomcat. I just have a single worker defined in the
> > worker.properties file.
> >
> > Appreciate any quick responses which could help in making this
> > determination.
>
> The description is right, the problem only applies if a load balancer is
> used.
>
> The load balancer tries to detect errors of the balanced nodes and if it
> finds one, it takes the node out of balancing for some time. So if an
> attacker finds a way for a node to behave like it has a problem, it will
> be taken out of balancing resulting in denial of service for this node.
>
> This reduces the size of your balanced farm, and if you e.g. have 4
> nodes and someone manages to remotely trigger an error situation for
> three of them, the remaining node might get overwhelmed by the full load
> and also die.
>
> The load balancer itself will never take all nodes out of the balancing.
> So if you use a balancer with only one node (because of the advanced
> management capabilities of the balancer), the above security problem
> will also not apply.
>
> As I said, even with more nodes, you will never loose all nodes, but
> only having one node left over might not be enough due to load.
>
> Regards,
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message