Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Apache Tomcat Java Apache JServ Protocol Connector Invalid Header Denial of Service Vulnerability

 
Threat Type:CWE-399: Resource Management Errors
IntelliShield ID:18414
Version:19
First Published:2009 June 05 19:28 GMT
Last Published:2013 April 01 20:23 GMT
Port: Not available
CVE:CVE-2009-0033
BugTraq ID:35193
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:5.0 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.7
 
Version Summary:HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.
 
 
Description
Multiple versions of Apache Tomcat contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to incorrect processing of headers in the Tomcat Java Apache JServ Protocol (AJP) connector. An unauthenticated, remote attacker could send messages with crafted HTTP headers via a Tomcat Java AJP connector to cause the affected software to stop responding.

Apache has confirmed the vulnerability and updated software is available.
 
Warning Indicators
The following Apache Software Foundation products are vulnerable:
  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat versions prior to 6.0.20
 
IntelliShield Analysis
The vulnerability could be exploited by a remote attacker with network access to the affected software. The vulnerability could be used to cause the affected application to stop responding to network requests, resulting in a DoS condition.
 
Vendor Announcements
Apache has released security notices for CVE-2009-0033 at the following links: Apple has released a security update at the following link: Security Update 2010-002/Mac OS X v10.6.3 Update

HP has released security bulletins at the following links: c01908935 at HPSBUX02466 SSRT090192, c02181353 at HPSBMA02535 SSRT100029, c02515878 at HPSBUX02579 SSRT100203, c03281831 at HPSBOV02762 SSRT100825, and c03716627 at HPSBUX02860 SSRT101146

IBM has released a list of fixes at the following link: IBM Tivoli Netcool/Webtop V2.1 Fix List

Red Hat has released security advisories at the following links: RHSA-2009-1164-1, RHSA-2009:1454, RHSA-2009:1506-1, RHSA-2009:1562, RHSA-2009:1563, RHSA-2009:1616, RHSA-2009:1617, and RHSA-2010:0602

Sun has re-released an alert notification at the following link: 263529

VMware has re-released a security advisory at the following link: VMSA-2009-0016.2
 
Impact
An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious request to the targeted system using the Java AJP connector, which could cause a DoS condition on the affected application.
 
Technical Information
The vulnerability is in the incorrect handling of headers received via the Java AJP connector.

An unauthenticated, remote attacker could send a request with invalid headers via the AJP connector. If the AJP is a member of a mod_jk load balancing component, an error condition results. This condition temporarily blocks the affected AJP connector from use and causes a DoS condition.
 
Safeguards
Administrators are advised to apply the appropriate update.

Administrators are advised to restrict network access to vulnerable systems.

Administrators are advised to monitor critical systems for signs of suspicious activity.
 
Patches/Software
Apache has released updated versions of Tomcat at the following links:

Apache 5.5.28
Apache 6.0.20
Apache 4.1.40

Apple has released updated software at the following links:

Mac OS X Server v10.6.3 Update
Mac OS X Server v10.6.3 Update (Combo)
Security Update 2010-002 Server (Leopard)

HP has released updates at the following links:

HP-UX B.11.23 and HP-UX B.11.31 PA-32
HPUX22SATW-1123-32.depot

HP-UX B.11.23 and HP-UXB.11.31 IA-64
HPUX22SATW-1123-64.depot

HP-UX B.11.11 PA-32
HPUXSATW-1111-64-32.depot

HP-UX B.11.23 PA-32 and IA-64
HPUXWSATW-1123-64-bit.depot

HP-UX B.11.31 IA-32 and IA-64
HPUXSATW-1131-64.depot

HP Performance Manager for HP-UX (IA)
HPPM8CPI_00001 or subsequent

HP Performance Manager for HP-UX (PA)
HPPM8CPP_00001 or subsequent

HP Performance Manager for Linux
HPPM8CPL_00001 or subsequent

HP Performance Manager for Solaris
HPPM8CPS_00001 or subsequent

HP Performance Manager for Windows
HPPM8CPW_00001 or subsequent

HP-UX Web Server Suite v.3.13
HPUXWS22ATW-B313-32.depot
HPUXWS22ATW-B313-64.depot
HP-UX_11.23_HPUXWS22T-B5536-1123.depot
HP-UX_11.31_HPUXWS22T-B5536-1131.depot

CSWS_JAVA V3.2

IBM has released a fix at the following link: IBM Tivoli Netcool/Webtop V2.1

Red Hat packages can be updated using the up2date or yum command.

Sun has released patches at the following links:

SPARC
Solaris 9 with patch 114016-05 or later
Solaris 10 with patch 122911-17 or later

Intel
Solaris 9 with patch 114017-05 or later
Solaris 10 with patch 122912-17 or later

VMware has released updated software at the following links:

vCenter 4.0
Update 1

ESX 4.0
ESX400-200911223-UG

VirtualCenter 2.5
Update 6

 
Alert History
 

Version 18, April 18, 2012, 3:49 PM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 17, November 24, 2010, 12:16 PM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 16, October 13, 2010, 12:32 PM: IBM has released a security fix to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 15, August 6, 2010, 2:51 PM: Red Hat has released an additional security advisory and updated packages to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 14, May 18, 2010, 11:39 AM: HP has released an additional security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 13, March 30, 2010, 9:41 AM: Apple has released a security update and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 12, February 1, 2010, 10:15 AM: VMware has re-released a security advisory with updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 11, November 30, 2009, 1:06 PM: Red Hat has released two additional security advisories and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 10, November 23, 2009, 8:25 AM:  VMware has released a security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 9, November 9, 2009, 5:01 PM: Red Hat has released two additional security advisories and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 8, October 22, 2009, 9:55 AM: HP has released a security bulletin and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 7, October 15, 2009, 11:26 AM: Red Hat has released an additional security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 6, October 12, 2009, 8:08 AM: Sun has re-released an alert notification with patches to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 5, September 21, 2009, 5:43 PM: Red Hat has released an additional security notice and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.  Apache has re-released a security advisory and additional updated software.

Version 4, September 4, 2009, 10:53 AM:  Apache has re-released a security notice and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 3, July 22, 2009, 10:17 AM: Red Hat has released a security advisory and updated software to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 2, July 10, 2009, 11:05 AM: Sun has released an alert notification to address the Apache Tomcat Java Apache JServ protocol connector invalid header denial of service vulnerability.

Version 1, June 5, 2009, 3:28 PM: Multiple versions of Apache Tomcat contain a vulnerability in the Java Apache JServ Protocol connector that could allow an unauthenticated, remote attacker to cause a denial of service condition.  Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
The Jakarta ProjectTomcat Java Server 4.1 Base | 4.1.1 Base | 4.1.2 Base | 4.1.3 Base | 4.1.4 Base | 4.1.5 Base | 4.1.6 Base | 4.1.8 Base | 4.1.9 Base | 4.1.10 Base | 4.1.11 Base | 4.1.12 Base | 4.1.13 Base | 4.1.14 Base | 4.1.15 Base | 4.1.16 Base | 4.1.17 Base | 4.1.18 Base | 4.1.19 Base | 4.1.20 Base | 4.1.21 Base | 4.1.22 Base | 4.1.33 Base | 4.1.23 Base | 4.1.24 Base | 4.1.25 Base | 4.1.26 Base | 4.1.27 Base | 4.1.28 Base | 4.1.29 Base | 4.1.30 Base | 4.1.31 Base | 4.1.32 Base | 4.1.34 Base | 4.1.35 Base | 4.1.36 Base | 4.1.37 Base | 4.1.39 Base | 5.5.0 Base | 5.5.1 Base | 5.5.2 Base | 5.5.3 Base | 5.5.4 Base | 5.5.5 Base | 5.5.6 Base | 5.5.7 Base | 5.5.8 Base | 5.5.9 Base | 5.5.10 Base | 5.5.11 Base | 5.5.12 Base | 5.5.13 Base | 5.5.14 Base | 5.5.15 Base | 5.5.16 Base | 5.5.17 Base | 5.5.18 Base | 5.5.19 Base | 5.5.20 Base | 5.5.21 Base | 5.5.22 Base | 5.5.23 Base | 5.5.24 Base | 5.5.25 Base | 5.5.26 Base | 5.5.27 Base | 6.0.0 Base | 6.0.1 Base | 6.0.2 Base | 6.0.3 Base | 6.0.4 Base | 6.0.5 Base | 6.0.6 Base | 6.0.7 Base | 6.0.8 Base | 6.0.9 Base | 6.0.10 Base | 6.0.11 Base | 6.0.12 Base | 6.0.13 Base | 6.0.14 Base | 6.0.15 Base | 6.0.16 Base | 6.0.18 Base

Associated Products:
AppleMac OS X Server 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC | 10.5.8 Intel, PPC | 10.6 Intel, PPC | 10.6.1 Intel, PPC | 10.6.2 Base
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
HPHP-UX Web Server Suite (HPUXWSSUITE) 3.12 Base
HPPerformance Manager 8.10 Base | 8.20 Base | 8.21 Base
HPSecure Web Server (SWS) for OpenVMS Itanium 2.1 -1 | 2.20 Base
HPSecure Web Server (SWS) for OpenVMS Alpha 2.1 -1 | 2.20 Base
IBMIBM Tivoli Netcool/Webtop 2.1.0 Base, FP 1, FP 2, FP 3, FP 4, FP 5, FP 6, FP 7, FP 8, FP 9
Red Hat, Inc.Certificate System 7.3 x86_64, IA-32
Red Hat, Inc.JBoss Enterprise Web Server EL4 IA-32, x86_64 | EL5 IA-32, x86_64
Red Hat, Inc.Red Hat Application Server 2 i386, ia64, ppc, x86_64
Red Hat, Inc.Red Hat Developer Suite 3 IA-32, IA-64, PPC, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.3.z IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Network Satellite 5.1 Base | 5.2 Base | 5.3 Base
Sun Microsystems, Inc.Solaris 9 sparc, intel | 10 sparc, x64/x86
VMware, Inc.VirtualCenter 2.0.2 Base, Update 1, Update 2, Update 3, Update 4, Update 5 | 2.5 Base, Update 1, Update 2, Update 3 | 4.0 Base
VMware, Inc.VMware ESX Server 3.0 Base, .1, .2, .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base
VMware, Inc.VMware Server 2.0 .0, .1




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield