tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brandon McCombs <bmcco...@tibco.com>
Subject RE: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
Date Wed, 12 Jun 2013 16:33:47 GMT


-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net] 
Sent: Wednesday, June 12, 2013 11:56 AM
To: Tomcat Users List
Subject: Re: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
>
>Brandon,
>
>On 6/12/13 11:33 AM, Brandon McCombs wrote:
>> I don't know if this is the correct list but it seem to be the best 
>> one.
>> 
>> I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable 
>> (and if so, was it fixed and in which version?) to the issue 
>> identified in CVE-2007-6750?
>
>Note that, officially, CVE-2007-6750 is against Apache httpd, and no other product. Technically,
CVE-2007-6750 cannot be applied to Tomcat.
>
>On the other hand, the technique used for a DOS (Slowloris) can definitely be used to
DOS Tomcat under certain configurations.
>Technically, this is tracked via a separate CVE issue:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568 (which you should have found
from RedHat's Bugzilla entry).
>
>
Hi Chris

Yeah I found it. I don't think I noticed I had found it when I clicked on that entry in my
Google search results. I just saw CVE-2007-6750 listed in the short excerpt and clicked on
it. The bugzilla url I listed below is actually from that CVE page for 5568.

>
>To (partially) mitigate Slowloris, use the NIO connector with an appropriate connectionTimeout
configured.
>
>> "The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a 
>> denial of service (daemon outage) via partial HTTP requests, as 
>> demonstrated by Slowloris, related to the lack of the mod_reqtimeout 
>> module in versions before 2.2.15."
>> 
>> I found a single statement on
>> https://bugzilla.redhat.com/show_bug.cgi?id=880011 that says Tomcat is 
>> affected but I haven't found any published fix from RH or any 
>> confirmation on tomcat.apache.org website.
>
>http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
>
>You are looking for CVE-2012-5568.

I remember reading the description for 5568 on the security-7.html page but since I didn't
know (or notice) that was the one that was specific to tomcat for the general 6750 issue I
didn't put 2 and 2 together. So it seems that although there is a chance of Tomcat being vulnerable
it isn't a sufficiently large risk to warrant being addressed and is in fact categorized as
a low risk. So that's good enough for me.  

Thank you sir.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message