jvndb-2009-000037
Vulnerability from jvndb
Published
2009-06-18 17:54
Modified
2012-09-28 13:40
Severity ?
() - -
Summary
Apache Tomcat denial of service (DoS) vulnerability
Details
Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. If Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. For more information, refer to the developer's website. Yoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.
References
JVN http://jvn.jp/en/jp/JVN87272440/index.html
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
NVD http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0033
SECUNIA http://secunia.com/advisories/35326
SECUNIA http://secunia.com/advisories/35344
BID http://www.securityfocus.com/bid/35193
XF http://xforce.iss.net/xforce/xfdb/50928
SECTRACK http://securitytracker.com/alerts/2009/Jun/1022331.html
VUPEN http://www.vupen.com/english/advisories/2009/1496
Improper Input Validation(CWE-20) https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html
Impacted products
Apache Software FoundationApache Tomcat
Hewlett-Packard Development Company,L.PHP-UX Tomcat-based Servlet Engine
NEC CorporationInfoFrame DocumentSkipper
VMwareVMware ESX
VMwareVMware Server
VMwareVMware vCenter
VMwareVMware VirtualCenter
Apple Inc.Apple Mac OS X Server
Hewlett-Packard Development Company,L.PHP-UX
Cybertrust Japan Co., Ltd.Asianux Server
Red Hat, Inc.Red Hat Enterprise Linux
Red Hat, Inc.Red Hat Enterprise Linux Desktop
Red Hat, Inc.Red Hat Enterprise Linux EUS
Red Hat, Inc.RHEL Desktop Workstation
Sun Microsystems, Inc.OpenSolaris
Sun Microsystems, Inc.Sun Solaris
Show details on JVN DB website

To clipboard 

{
  "@rdf:about": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000037.html",
  "dc:date": "2012-09-28T13:40+09:00",
  "dcterms:issued": "2009-06-18T17:54+09:00",
  "dcterms:modified": "2012-09-28T13:40+09:00",
  "description": "Apache Tomcat from The Apache Software Foundation contains a denial of service (DoS) vulnerability.\r\n\r\nApache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.\r\nIf Tomcat receives a request with an invalid header via the Java AJP connector, it will not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request.\r\n\r\nAccording to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.\r\nFor more information, refer to the developer\u0027s website.\r\n\r\nYoshihito Fukuyama of NTT OSS Center reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.",
  "link": "https://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000037.html",
  "sec:cpe": [
    {
      "#text": "cpe:/a:apache:tomcat",
      "@product": "Apache Tomcat",
      "@vendor": "Apache Software Foundation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:hp:tomcat-based_servlet_engine",
      "@product": "HP-UX Tomcat-based Servlet Engine",
      "@vendor": "Hewlett-Packard Development Company,L.P",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:nec:infoframe_documentskipper",
      "@product": "InfoFrame DocumentSkipper",
      "@vendor": "NEC Corporation",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:vmware:esx",
      "@product": "VMware ESX",
      "@vendor": "VMware",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:vmware:server",
      "@product": "VMware Server",
      "@vendor": "VMware",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:vmware:vcenter",
      "@product": "VMware vCenter",
      "@vendor": "VMware",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/a:vmware:virtualcenter",
      "@product": "VMware VirtualCenter",
      "@vendor": "VMware",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:apple:mac_os_x_server",
      "@product": "Apple Mac OS X Server",
      "@vendor": "Apple Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:hp:hp-ux",
      "@product": "HP-UX",
      "@vendor": "Hewlett-Packard Development Company,L.P",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:misc:miraclelinux_asianux_server",
      "@product": "Asianux Server",
      "@vendor": "Cybertrust Japan Co., Ltd.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:redhat:enterprise_linux",
      "@product": "Red Hat Enterprise Linux",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:redhat:enterprise_linux_desktop",
      "@product": "Red Hat Enterprise Linux Desktop",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:redhat:enterprise_linux_eus",
      "@product": "Red Hat Enterprise Linux EUS",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:redhat:rhel_desktop_workstation",
      "@product": "RHEL Desktop Workstation",
      "@vendor": "Red Hat, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:sun:opensolaris",
      "@product": "OpenSolaris",
      "@vendor": "Sun Microsystems, Inc.",
      "@version": "2.2"
    },
    {
      "#text": "cpe:/o:sun:solaris",
      "@product": "Sun Solaris",
      "@vendor": "Sun Microsystems, Inc.",
      "@version": "2.2"
    }
  ],
  "sec:cvss": {
    "@score": "4.3",
    "@severity": "Medium",
    "@type": "Base",
    "@vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "@version": "2.0"
  },
  "sec:identifier": "JVNDB-2009-000037",
  "sec:references": [
    {
      "#text": "http://jvn.jp/en/jp/JVN87272440/index.html",
      "@id": "JVN#87272440",
      "@source": "JVN"
    },
    {
      "#text": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033",
      "@id": "CVE-2009-0033",
      "@source": "CVE"
    },
    {
      "#text": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0033",
      "@id": "CVE-2009-0033",
      "@source": "NVD"
    },
    {
      "#text": "http://secunia.com/advisories/35326",
      "@id": "SA35326",
      "@source": "SECUNIA"
    },
    {
      "#text": "http://secunia.com/advisories/35344",
      "@id": "SA35344",
      "@source": "SECUNIA"
    },
    {
      "#text": "http://www.securityfocus.com/bid/35193",
      "@id": "35193",
      "@source": "BID"
    },
    {
      "#text": "http://xforce.iss.net/xforce/xfdb/50928",
      "@id": "50928",
      "@source": "XF"
    },
    {
      "#text": "http://securitytracker.com/alerts/2009/Jun/1022331.html",
      "@id": "1022331",
      "@source": "SECTRACK"
    },
    {
      "#text": "http://www.vupen.com/english/advisories/2009/1496",
      "@id": "VUPEN/ADV-2009-1496",
      "@source": "VUPEN"
    },
    {
      "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
      "@id": "CWE-20",
      "@title": "Improper Input Validation(CWE-20)"
    }
  ],
  "title": "Apache Tomcat denial of service (DoS) vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.