tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon McCombs <>
Subject RE: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
Date Wed, 12 Jun 2013 16:33:47 GMT

-----Original Message-----
From: Christopher Schultz [] 
Sent: Wednesday, June 12, 2013 11:56 AM
To: Tomcat Users List
Subject: Re: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
>On 6/12/13 11:33 AM, Brandon McCombs wrote:
>> I don't know if this is the correct list but it seem to be the best 
>> one.
>> I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable 
>> (and if so, was it fixed and in which version?) to the issue 
>> identified in CVE-2007-6750?
>Note that, officially, CVE-2007-6750 is against Apache httpd, and no other product. Technically,
CVE-2007-6750 cannot be applied to Tomcat.
>On the other hand, the technique used for a DOS (Slowloris) can definitely be used to
DOS Tomcat under certain configurations.
>Technically, this is tracked via a separate CVE issue:
> (which you should have found
from RedHat's Bugzilla entry).
Hi Chris

Yeah I found it. I don't think I noticed I had found it when I clicked on that entry in my
Google search results. I just saw CVE-2007-6750 listed in the short excerpt and clicked on
it. The bugzilla url I listed below is actually from that CVE page for 5568.

>To (partially) mitigate Slowloris, use the NIO connector with an appropriate connectionTimeout
>> "The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a 
>> denial of service (daemon outage) via partial HTTP requests, as 
>> demonstrated by Slowloris, related to the lack of the mod_reqtimeout 
>> module in versions before 2.2.15."
>> I found a single statement on
>> that says Tomcat is 
>> affected but I haven't found any published fix from RH or any 
>> confirmation on website.
>You are looking for CVE-2012-5568.

I remember reading the description for 5568 on the security-7.html page but since I didn't
know (or notice) that was the one that was specific to tomcat for the general 6750 issue I
didn't put 2 and 2 together. So it seems that although there is a chance of Tomcat being vulnerable
it isn't a sufficiently large risk to warrant being addressed and is in fact categorized as
a low risk. So that's good enough for me.  

Thank you sir.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message