tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: is tomcat 6.0.35 vulnerable to CVE-2007-6750?
Date Wed, 12 Jun 2013 15:55:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Brandon,

On 6/12/13 11:33 AM, Brandon McCombs wrote:
> I don't know if this is the correct list but it seem to be the
> best one.
> 
> I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable 
> (and if so, was it fixed and in which version?) to the issue 
> identified in CVE-2007-6750?

Note that, officially, CVE-2007-6750 is against Apache httpd, and no
other product. Technically, CVE-2007-6750 cannot be applied to Tomcat.

On the other hand, the technique used for a DOS (Slowloris) can
definitely be used to DOS Tomcat under certain configurations.
Technically, this is tracked via a separate CVE issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568 (which you
should have found from RedHat's Bugzilla entry).

To (partially) mitigate Slowloris, use the NIO connector with an
appropriate connectionTimeout configured.

> "The Apache HTTP Server 1.x and 2.x allows remote attackers to
> cause a denial of service (daemon outage) via partial HTTP
> requests, as demonstrated by Slowloris, related to the lack of the
> mod_reqtimeout module in versions before 2.2.15."
> 
> I found a single statement on 
> https://bugzilla.redhat.com/show_bug.cgi?id=880011 that says
> Tomcat is affected but I haven't found any published fix from RH or
> any confirmation on tomcat.apache.org website.

http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat

You are looking for CVE-2012-5568.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRuJn3AAoJEBzwKT+lPKRYCUQP/3HVXBjBtHuUG/SgowZ4xy9l
sKz336AeLtDkTcwcJKnblXvCf62KjBKELO06/Yl6QOAafhbsDfloSNJY/MxNNwgR
y1e7KUHhSOKzf49+cxiW2KTqGMVJLLkMX24OzaqeOVBqxlRg89BjBYH4HGQUH9w7
DuoeoEWcxKviFZrMCDlUoL/hgB8r23aHA9eqKUkO2Lfz+V7gCl4ANQ8xEhIjaQlm
amqG8F8j8TOxeoKLuG1w5nPpQHmpwQvrSYNd/czxQHPqne4W6VFgA4GqDDoVGZzT
EbJpiqsSOiw3/GqCJOlDFZVipDnx4jrzhlo1S5r7XbAP9robTxwDfg6HvXekKgNH
trpjNbp8joty7rJ4dQFeQqEKuK+mRKorWx5uLmDJpD8baOIxhlr4TvsE8N+BNLfD
dCmrLYn7QYbqsPga9ujpDbM73ZbzWkdVi+W6o8+XHyxiwaFgUawe0BEJujCtjGBO
ZmapaH7ondBGajZLKltnH5c+JGydTl7G/6V4ZndMzPclgoWGLHopb9jOThJLeT7b
PuIhpAlEfbJLeZQPlsJILTsbd4eqi8YXlbEpykgUTXR/LIfCqMIHx0PmCPELYyJC
y/7xLI6GXG5kmgvRnZMoLTuYF55trJG3IuxKvt/9KEm9UlO6x64E+iz+D3R6HyFU
zfgqa1ec8Mw+qZmcOdhb
=uuaV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message