The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: denial of service via several parameters

Synthesis of the vulnerability 

An attacker can send a query containing several parameters to Apache Tomcat, in order to overload the CPU.
Impacted software: Tomcat, Debian, Fedora, OpenView NNM, HP-UX, NSMXpress, Mandriva Linux, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity of this computer vulnerability: 2/4.
Creation date: 17/01/2012.
Références of this announce: c03183543, c03231290, CERTA-2012-AVI-479, CVE-2012-0022, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBUX02741, JSA10600, MDVSA-2012:085, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0345-02, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, RHSA-2012:1331-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11290, VMSA-2012-0003.1, VMSA-2012-0005, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability 

An HTTP GET or POST query uses parameters like "para1=value&para2=value&...".

The org/apache/tomcat/util/http/Parameters.java file decodes these parameters. However, the algorithm used is not efficient. If the query contains numerous parameters, Tomcat consumes a lot a processor resources.

An attacker can therefore send a query containing several parameters to Apache Tomcat, in order to overload the CPU.

This vulnerability is different from VIGILANCE-VUL-11383.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security announce impacts software or systems such as Tomcat, Debian, Fedora, OpenView NNM, HP-UX, NSMXpress, Mandriva Linux, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this threat is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability announce.

Solutions for this threat 

Apache Tomcat: version 7.0.23.
The version 7.0.23 is corrected:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 6.0.35.
The version 6.0.35 is corrected:
  http://tomcat.apache.org/download-60.cgi

Apache Tomcat: version 5.5.35.
The version 5.5.35 is corrected:
  http://tomcat.apache.org/download-55.cgi

Debian: new tomcat6 packages.
New packages are available:
  tomcat6 6.0.35-1+squeeze2

Fedora: new tomcat6 packages.
New packages are available:
  tomcat6-6.0.35-1.fc16
  tomcat6-6.0.35-1.fc17

HP OV NNM: hotfix SSRT100771.
Hotfix SSRT100771 is available.

HP-UX Web Server Suite: version 3.22.
The version 3.22 is corrected:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW322

Juniper NSM: version 2012.2R5.
The version 2012.2R5 is fixed:
  http://www.juniper.net/support/downloads/?p=nsm#sw

Mandriva: new tomcat5 packages.
New packages are available:
  tomcat5-5.5.28-0.5.0.4mdv2010.2
  tomcat5-5.5.28-0.5.0.4mdvmes5.2

Red Hat JBoss Enterprise: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.2.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.2.0+GA

Red Hat JBoss Enterprise Portal Platform 4.3 CP07: update.
An update is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=4.3+CP07

Red Hat JBoss Operations Network: version 3.1.1.
The version 3.1.1 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.1.1

RHEL JBoss Enterprise Web Server: new tomcat5 packages.
New packages are available:
  JBoss Enterprise Web Server 1.0 for RHEL 5 Server:
    tomcat5-5.5.33-27_patch_07.ep5.el5
  JBoss Enterprise Web Server 1.0 for RHEL 6 Server:
    tomcat5-5.5.33-28_patch_07.ep5.el6
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

RHEL JBoss Enterprise Web Server: new tomcat6 packages.
New packages are available:
  JBoss Enterprise Web Server 1.0 for RHEL 5 Server:
    tomcat6-6.0.32-24_patch_07.ep5.el5
  JBoss Enterprise Web Server 1.0 for RHEL 6 Server:
    tomcat6-6.0.32-24_patch_07.ep5.el6
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

RHEL: new JBoss Enterprise packages.
New packages are available, as indicated in information sources.

RHEL: new tomcat packages.
New packages are available:
  tomcat5-5.5.23-0jpp.31.el5_8
  tomcat6-6.0.24-36.el6_2

Solaris 10: patch for Oracle Java Web Console.
A patch is available:
  SPARC: 147673-04
  X86: 147674-04

Solaris: patch for Apache Tomcat.
A patch is available:
  Solaris 9 :
    contact support
  Solaris 10
    SPARC: 122911-29
    X86: 122912-29
  Solaris 11 :
    11/11 SRU 4

VMware ESX 4.0: patch ESX400-201209001.
A patch is available:
  ESX400-201209001
  http://kb.vmware.com/kb/2019661

VMware ESX: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://kb.vmware.com/kb/2020362

VMware vCenter Server: version 4.0 Update 4a.
The version 4.0 Update 4a is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0
  https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4a_rel_notes.html

VMware vCenter Server: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
  https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html

VMware vCenter Server: version 5.0 Update 1.
The version 5.0 Update 1 is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/5_0
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities patch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.