Apache Tomcat non-HTTP request denial of service

tomcat-non-http-dos (13429) The risk level is classified as MediumMedium Risk

Description:

Apache Tomcat server is vulnerable to a denial of service. By sending multiple non-HTTP requests to the server's HTTP connector, a remote attacker could cause the server to stop responding to legitimate requests. The server must be restarted to regain normal functionality.

Platforms Affected:

  • Apache, Tomcat 4.0.0
  • Apache, Tomcat 4.0.1
  • Apache, Tomcat 4.0.2
  • Apache, Tomcat 4.0.3
  • Apache, Tomcat 4.0.4
  • Apache, Tomcat 4.0.5
  • Apache, Tomcat 4.0.6
  • Debian, Debian Linux 3.0
  • Sun, Solaris 10 x86
  • Sun, Solaris 10 SPARC
  • Sun, Solaris 9 x86
  • Sun, Solaris 9 SPARC

Remedy:

For Debian GNU/Linux:
Upgrade to the latest tomcat4 package, as listed below. Refer to DSA-395-1 for more information. See References.

Debian GNU/Linux 3.0 (woody): 4.0.3-3woody3 or later

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

References:

  • Sun Alert ID: 239312, Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 at http://sunsolve.sun.com/search/document.do?assetkey=1-66-239312-1.
  • ASA-2008-293: Security Vulnerabilities in Tomcat 4.0 Shipped with Solaris 9 and 10 (Sun 239312)
  • BID-8824: Apache Tomcat Non-HTTP Request Denial Of Service Vulnerability
  • CVE-2003-0866: The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests.
  • DSA-395: tomcat4 -- incorrect input handling
  • SA30899: Sun Solaris 9 Tomcat Multiple Vulnerabilities
  • SA30908: Sun Solaris 10 Tomcat Multiple Vulnerabilities
  • VUPEN/ADV-2008-1979: Sun Solaris Tomcat JSP/Servlet Container Multiple Vulnerabilities

Reported:

Oct 15, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page