|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Apache Tomcat: denial of service via SSL and NIO
Synthesis of the vulnerability
An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can cause excessive computing power, in order to deny service.
Impacted products: Tomcat, Debian, Fedora, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Creation date: 05/12/2012.
Identifiers: BID-56813, c03734195, CERTA-2012-AVI-706, CERTA-2013-AVI-145, CERTFR-2014-AVI-112, CVE-2012-4534, DSA-2725-1, FEDORA-2012-20151, HPSBUX02866, openSUSE-SU-2013:0161-1, openSUSE-SU-2013:0170-1, openSUSE-SU-2013:0192-1, RHSA-2013:0265-01, RHSA-2013:0266-01, RHSA-2013:0623-01, SSRT101139, VIGILANCE-VUL-12207, VMSA-2013-0006.
Description of the vulnerability
The vulnerability is applicable under the following conditions:
- Tomcat is configured to use the NIO connector.
- Tomcat use the sendfile() system call, which require that the response body is static.
- The connection must use HTTP over SSL.
In this case, when the attacker half close the TCP connection and discard received TCP data, Tomcat enters in a CPU intensive endless loop, while attempting to send the response body.
An attacker who access Tomcat using the NIO connector and an SSL enabled connection, can therefore cause excessive computing power, in order to deny service.
Complete Vigil@nce bulletin.... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides systems vulnerabilities bulletins. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.