jvndb-2009-000037
Vulnerability from jvndb
Published
2009-06-18 17:54
Modified
2012-09-28 13:40
Summary
Apache Tomcat denial of service (DoS) vulnerability
Details
Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.
Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.
Yoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
References
Impacted products
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000037.html",
"dc:date": "2012-09-28T13:40+09:00",
"dcterms:issued": "2009-06-18T17:54+09:00",
"dcterms:modified": "2012-09-28T13:40+09:00",
"description": "Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.\r\n\r\nApache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.\r\nIf Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.\r\n\r\nAccording to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.\r\nFor more information, refer to the developer\u0027s website.\r\n\r\nYoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000037.html",
"sec:cpe": [
{
"#text": "cpe:/a:apache:tomcat",
"@product": "Apache Tomcat",
"@vendor": "Apache Software Foundation",
"@version": "2.2"
},
{
"#text": "cpe:/a:hp:tomcat-based_servlet_engine",
"@product": "HP-UX Tomcat-based Servlet Engine",
"@vendor": "Hewlett-Packard Development Company,L.P",
"@version": "2.2"
},
{
"#text": "cpe:/a:nec:infoframe_documentskipper",
"@product": "InfoFrame DocumentSkipper",
"@vendor": "NEC Corporation",
"@version": "2.2"
},
{
"#text": "cpe:/a:vmware:esx",
"@product": "VMware ESX",
"@vendor": "VMware",
"@version": "2.2"
},
{
"#text": "cpe:/a:vmware:server",
"@product": "VMware Server",
"@vendor": "VMware",
"@version": "2.2"
},
{
"#text": "cpe:/a:vmware:vcenter",
"@product": "VMware vCenter",
"@vendor": "VMware",
"@version": "2.2"
},
{
"#text": "cpe:/a:vmware:virtualcenter",
"@product": "VMware VirtualCenter",
"@vendor": "VMware",
"@version": "2.2"
},
{
"#text": "cpe:/o:apple:mac_os_x_server",
"@product": "Apple Mac OS X Server",
"@vendor": "Apple Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:hp:hp-ux",
"@product": "HP-UX",
"@vendor": "Hewlett-Packard Development Company,L.P",
"@version": "2.2"
},
{
"#text": "cpe:/o:misc:miraclelinux_asianux_server",
"@product": "Asianux Server",
"@vendor": "Cybertrust Japan Co., Ltd.",
"@version": "2.2"
},
{
"#text": "cpe:/o:redhat:enterprise_linux",
"@product": "Red Hat Enterprise Linux",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:redhat:enterprise_linux_desktop",
"@product": "Red Hat Enterprise Linux Desktop",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:redhat:enterprise_linux_eus",
"@product": "Red Hat Enterprise Linux EUS",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:redhat:rhel_desktop_workstation",
"@product": "RHEL Desktop Workstation",
"@vendor": "Red Hat, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:sun:opensolaris",
"@product": "OpenSolaris",
"@vendor": "Sun Microsystems, Inc.",
"@version": "2.2"
},
{
"#text": "cpe:/o:sun:solaris",
"@product": "Sun Solaris",
"@vendor": "Sun Microsystems, Inc.",
"@version": "2.2"
}
],
"sec:cvss": {
"@score": "4.3",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"@version": "2.0"
},
"sec:identifier": "JVNDB-2009-000037",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN87272440/index.html",
"@id": "JVN#87272440",
"@source": "JVN"
},
{
"#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033",
"@id": "CVE-2009-0033",
"@source": "CVE"
},
{
"#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0033",
"@id": "CVE-2009-0033",
"@source": "NVD"
},
{
"#text": "http://secunia.com/advisories/35326",
"@id": "SA35326",
"@source": "SECUNIA"
},
{
"#text": "http://secunia.com/advisories/35344",
"@id": "SA35344",
"@source": "SECUNIA"
},
{
"#text": "http://www.securityfocus.com/bid/35193",
"@id": "35193",
"@source": "BID"
},
{
"#text": "http://xforce.iss.net/xforce/xfdb/50928",
"@id": "50928",
"@source": "XF"
},
{
"#text": "http://securitytracker.com/alerts/2009/Jun/1022331.html",
"@id": "1022331",
"@source": "SECTRACK"
},
{
"#text": "http://www.vupen.com/english/advisories/2009/1496",
"@id": "VUPEN/ADV-2009-1496",
"@source": "VUPEN"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "Apache Tomcat denial of service (DoS) vulnerability"
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.