Tomcat6 version below 6.0.32 can be easily brought down

Bug #714239 reported by Dmitry
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Fix Released
Medium
Unassigned
Natty
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: tomcat6

Tomcat can be DOSed by making mutiple (>200) GET requests with Accept-Language: en-us;q=2.2250738585072012e-308 header.

Explanation:
There is a known bug in Java: it goes into infinite loop when trying to parse "2.2250738585072012e-308" into double (for explanation see http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/).
When one executes GET request with the Accept-Language header specified above one of tomcat's worker threads goes into infinite loop.
Tomcat has max 200 or so worker threads by default, so after executing the malicious GET request more than 200 times all worker threads are stuck and tomcat is not able to process further requests.

The bug was fixed in tomcat 6.0.32 ("Improve HTTP specification compliance in support of Accept-Language header. (kkolinko)").

The bug is reproducible always and is pretty critical, so I hope it will be resolved in the near time.

My environments:
1)
ubuntu: Ubuntu 10.04.1 LTS
tomcat6: 6.0.24-2ubuntu1.6
openjdk-6-jdk: 6b20-1.9.5-0ubuntu1~10.04.1

2)
ubuntu: Ubuntu 10.10
tomcat6: 6.0.28-2ubuntu1.1
openjdk-6-jdk: 6b20-1.9.5-0ubuntu1

Tags: denial of service
Revision history for this message
Dmitry (dmitry-korolyov) wrote :

There is also a patch for open jdk that solves the problem: https://bugs.openjdk.java.net/show_bug.cgi?id=100119

Revision history for this message
Dmitry (dmitry-korolyov) wrote :

Apache Tomcat 6.0.32 is primarily a security and bug fix release. All
users of older versions of the Tomcat 6.0 family should upgrade to 6.0.32.

http://mail-archives.apache.org/mod_mbox/www-announce/201102.mbox/%<email address hidden>%3E

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

6.0.28-10 is in Natty, which has a fix for this issue.

visibility: private → public
Changed in tomcat6 (Ubuntu Natty):
status: New → Fix Released
Changed in tomcat6 (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in tomcat6 (Ubuntu Maverick):
status: New → Triaged
importance: Undecided → Medium
Changed in tomcat6 (Ubuntu Karmic):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.28-2ubuntu1.2

---------------
tomcat6 (6.0.28-2ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 10:10:09 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.24-2ubuntu1.7

---------------
tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 11:08:39 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.20-2ubuntu2.4

---------------
tomcat6 (6.0.20-2ubuntu2.4) karmic-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 13:58:06 -0400

Changed in tomcat6 (Ubuntu Karmic):
status: Triaged → Fix Released
Changed in tomcat6 (Ubuntu Lucid):
status: Triaged → Fix Released
Changed in tomcat6 (Ubuntu Maverick):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.