tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [SECURITY] CVE-2014-0230: Apache Tomcat DoS
Date Wed, 06 May 2015 08:14:21 GMT
Jose María Zaragoza wrote:
> 2015-05-06 0:53 GMT+02:00 Mark Thomas <markt@apache.org>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> CVE-2014-0230 Denial of Service
>>
>> Severity: Low
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> - - Apache Tomcat 8.0.0-RC1 to 8.0.8
>> - - Apache Tomcat 7.0.0 to 7.0.54
>> - - Apache Tomcat 6.0.0 to 6.0.43
>>
>> Description:
>> When a response for a request with a request body is returned to the
>> user agent before the request body is fully read, by default Tomcat
>> swallows the remaining request body so that the next request on the
>> connection may be processed.
> 
> 
> I'm trying to understand when that behaviour is happening
> When is a response returned before the request body is fully read ?
> What happens when  the remaining request body is read ?
> 

Guess for Q1 : when the original request's target is an area which requires 
authentication, and the request is not ?
Q2 : That is explained in the message : it is discarded.
It's just that it may be very large (and/or slow), and Tomcat may have a thread busy for a

while reading it to the end.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message