tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Caine <step...@commongrnd.com>
Subject Re: CVE-2012-4534 Apache Tomcat denial of service
Date Wed, 05 Dec 2012 01:48:02 GMT
Jim,

Check your Tomcat version.

http://localhost:8080/

Stephen

On Dec 4, 2012, at 2:47 PM, Mark Thomas <markt@apache.org> wrote:

> CVE-2012-4534 Apache Tomcat denial of service
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> - Tomcat 7.0.0 to 7.0.27
> - Tomcat 6.0.0 to 6.0.35
> 
> Description:
> When using the NIO connector with sendfile and HTTPS enabled, if a
> client breaks the connection while reading the response an infinite loop
> is entered leading to a denial of service. This was originally reported
> as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858.
> 
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Tomcat 7.0.x users should upgrade to 7.0.28 or later
> - Tomcat 6.0.x users should upgrade to 6.0.36 or later
> 
> Credit:
> The security implications of this bug were identified by Arun Neelicattu
> of the Red Hat Security Response Team.
> 
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message