Apache Jakarta Tomcat MS-DOS device name request denial of service

jakarta-tomcat-msdos-dos (12102) The risk level is classified as MediumMedium Risk


Jakarta Tomcat, running on some Microsoft Windows operating systems, is vulnerable to a denial of service. By sending a specially-crafted request for JSP Web page containing the name of a MS-DOS device, such as aux.jsp, a remote attacker could consume all available resources and cause the thread to hang.


Denial of Service


Upgrade to the latest version of Jakarta Tomcat (3.3.1a or later), available from the Jakarta Web site. See References.


  • Jakarta Project Web site: The Jakarta Project.
  • Jakarta Web site: Apache Tomcat 3.3.1a Release Notes.
  • CVE-2003-0045: Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp.
  • OSVDB ID: 12233: Apache Tomcat MS-DOS Device Name Request DoS

Platforms Affected:

  • Apache Tomcat 3.0
  • Apache Tomcat 3.1
  • Apache Tomcat 3.1.1
  • Apache Tomcat 3.2
  • Apache Tomcat 3.2.1
  • Apache Tomcat 3.2.3
  • Apache Tomcat 3.2.4
  • Apache Tomcat 3.3
  • Apache Tomcat 3.3.1


Mar 26, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page