HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Description
Multiple versions of Apache Tomcat contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
The vulnerability is due to incorrect processing of headers in the Tomcat Java Apache JServ Protocol (AJP) connector. An unauthenticated, remote attacker could send messages with crafted HTTP headers via a Tomcat Java AJP connector to cause the affected software to stop responding.
Apache has confirmed the vulnerability and updated software is available.
Warning Indicators
The following Apache Software Foundation products are vulnerable:
Apache Tomcat 4.1.0 to 4.1.39
Apache Tomcat 5.5.0 to 5.5.27
Apache Tomcat versions prior to 6.0.20
IntelliShield Analysis
The vulnerability could be exploited by a remote attacker with network access to the affected software. The vulnerability could be used to cause the affected application to stop responding to network requests, resulting in a DoS condition.
Vendor Announcements
Apache has released security notices for CVE-2009-0033 at the following links:
Sun has re-released an alert notification at the following link: 263529
VMware has re-released a security advisory at the following link: VMSA-2009-0016.2
Impact
An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious request to the targeted system using the Java AJP connector, which could cause a DoS condition on the affected application.
Technical Information
The vulnerability is in the incorrect handling of headers received via the Java AJP connector.
An unauthenticated, remote attacker could send a request with invalid headers via the AJP connector. If the AJP is a member of a mod_jk load balancing component, an error condition results. This condition temporarily blocks the affected AJP connector from use and causes a DoS condition.
Safeguards
Administrators are advised to apply the appropriate update.
Administrators are advised to restrict network access to vulnerable systems.
Administrators are advised to monitor critical systems for signs of suspicious activity.
Patches/Software
Apache has released updated versions of Tomcat at the following links:
Version 18, April 18, 2012, 3:49 PM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 17, November 24, 2010, 12:16 PM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 16, October 13, 2010, 12:32 PM: IBM has released a security fix to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 15, August 6, 2010, 2:51 PM: Red Hat has released an additional security advisory and updated packages to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 14, May 18, 2010, 11:39 AM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 13, March 30, 2010, 9:41 AM: Apple has released a security update and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 12, February 1, 2010, 10:15 AM: VMware has re-released a security advisory with updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 11, November 30, 2009, 1:06 PM: Red Hat has released two additional security advisories and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 10, November 23, 2009, 8:25 AM: VMware has released a security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 9, November 9, 2009, 5:01 PM: Red Hat has released two additional security advisories and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 8, October 22, 2009, 9:55 AM: HP has released a security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 7, October 15, 2009, 11:26 AM: Red Hat has released an additional security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 6, October 12, 2009, 8:08 AM: Sun has re-released an alert notification with patches to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 5, September 21, 2009, 5:43 PM: Red Hat has released an additional security notice and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability. Apache has re-released a security advisory and additional updated software.
Version 4, September 4, 2009, 10:53 AM: Apache has re-released a security notice and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 3, July 22, 2009, 10:17 AM: Red Hat has released a security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 2, July 10, 2009, 11:05 AM: Sun has released an alert notification to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
Version 1, June 5, 2009, 3:28 PM: Multiple versions of Apache Tomcat contain a vulnerability in the Java Apache JServ Protocol connector that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
The Jakarta Project
Tomcat Java Server
4.1 Base | 4.1.1 Base | 4.1.10 Base | 4.1.11 Base | 4.1.12 Base | 4.1.13 Base | 4.1.14 Base | 4.1.15 Base | 4.1.16 Base | 4.1.17 Base | 4.1.18 Base | 4.1.19 Base | 4.1.2 Base | 4.1.20 Base | 4.1.21 Base | 4.1.22 Base | 4.1.23 Base | 4.1.24 Base | 4.1.25 Base | 4.1.26 Base | 4.1.27 Base | 4.1.28 Base | 4.1.29 Base | 4.1.3 Base | 4.1.30 Base | 4.1.31 Base | 4.1.32 Base | 4.1.33 Base | 4.1.34 Base | 4.1.35 Base | 4.1.36 Base | 4.1.37 Base | 4.1.39 Base | 4.1.4 Base | 4.1.5 Base | 4.1.6 Base | 4.1.8 Base | 4.1.9 Base | 5.5.0 Base | 5.5.1 Base | 5.5.10 Base | 5.5.11 Base | 5.5.12 Base | 5.5.13 Base | 5.5.14 Base | 5.5.15 Base | 5.5.16 Base | 5.5.17 Base | 5.5.18 Base | 5.5.19 Base | 5.5.2 Base | 5.5.20 Base | 5.5.21 Base | 5.5.22 Base | 5.5.23 Base | 5.5.24 Base | 5.5.25 Base | 5.5.26 Base | 5.5.27 Base | 5.5.3 Base | 5.5.4 Base | 5.5.5 Base | 5.5.6 Base | 5.5.7 Base | 5.5.8 Base | 5.5.9 Base | 6.0.0 Base | 6.0.1 Base | 6.0.10 Base | 6.0.11 Base | 6.0.12 Base | 6.0.13 Base | 6.0.14 Base | 6.0.15 Base | 6.0.16 Base | 6.0.18 Base | 6.0.2 Base | 6.0.3 Base | 6.0.4 Base | 6.0.5 Base | 6.0.6 Base | 6.0.7 Base | 6.0.8 Base | 6.0.9 Base
3.0 .1, .2, .3, Base | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base
VMware, Inc.
VMware Server
2.0 .0, .1
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
