tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose María Zaragoza <demablo...@gmail.com>
Subject Re: [SECURITY] CVE-2014-0230: Apache Tomcat DoS
Date Wed, 06 May 2015 14:21:37 GMT
2015-05-06 13:59 GMT+02:00 Mark Thomas <markt@apache.org>:
> On 06/05/2015 09:14, André Warnier wrote:
>> Jose María Zaragoza wrote:
>>> 2015-05-06 0:53 GMT+02:00 Mark Thomas <markt@apache.org>:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA256
>>>>
>>>> CVE-2014-0230 Denial of Service
>>>>
>>>> Severity: Low
>>>>
>>>> Vendor: The Apache Software Foundation
>>>>
>>>> Versions Affected:
>>>> - - Apache Tomcat 8.0.0-RC1 to 8.0.8
>>>> - - Apache Tomcat 7.0.0 to 7.0.54
>>>> - - Apache Tomcat 6.0.0 to 6.0.43
>>>>
>>>> Description:
>>>> When a response for a request with a request body is returned to the
>>>> user agent before the request body is fully read, by default Tomcat
>>>> swallows the remaining request body so that the next request on the
>>>> connection may be processed.
>>>
>>>
>>> I'm trying to understand when that behaviour is happening
>>> When is a response returned before the request body is fully read ?
>>> What happens when  the remaining request body is read ?
>>>
>>
>> Guess for Q1 : when the original request's target is an area which
>> requires authentication, and the request is not ?
>
> Yes that is one case. Generally these are error conditions. Either
> Tomcat or the app knows after reading the headers (and maybe the first
> part of the response body) exactly what the response is going to be and
> that the rest of the request body can be skipped. Although Tomcat
> ignores the remainder of the body it needs to read it as most clients
> don't read the response until the client has fully written the request
> (which means Tomcat has to read it).
>
>> Q2 : That is explained in the message : it is discarded.
>> It's just that it may be very large (and/or slow), and Tomcat may have a
>> thread busy for a while reading it to the end.
>
> Exactly. The only reason this gets classed as a DoS (and it was on the
> border of being/not being a vulnerability is that Tomcat didn't place
> any limit on how much data it would read and ignore. There are easier
> ways to DoS a Tomcat server than use this vector.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>



Great. Thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message