[Full-disclosure] [SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The original report is [1].

Tomcat is affected when accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().

Work-arounds have been implemented in the following versions:
- - 7.0.8 (released)
- - 6.0.32 (released)
- - 5.5.33 (released expected Monday 7 Feb 2011)

All users are recommended to upgrade to a Tomcat version with the
work-around. Users unable to upgrade can filter malicious requests via a
Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd
reverse proxy) or other filtering as available.

Accept-Language headers that are compliant with RFC 2616 can not trigger
this bug. Therefore, filtering out all request with non-compliant
headers will provide protection against the DOS vulnerability.

The Apache Tomcat Security Team


[1]
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNTLBnAAoJEBDAHFovYFnnk0IQAOB6xo9/wEqckNzq/MUxfxH8
c131gJ0XcMktGZ7x7A2/SgG/oIfl5B4q78EujtPwHsy8XS9XRKCdJtOz8Ak67zb7
z6UhB+ha2R0fgzJoesZeBiHyH4vymB8izF9npnDuFv+Gij7K08mu5bERMCNNQftc
+/0a7I2QD/K5YoqkYW/1RLwWhrbAXmjE8ysmnTtgfemRxmGL971bx8+9+l9JmGpm
unP+yVYpKNnGXNUSNuL9C0oka2iCzkrPW0UplZyyMsB2iiuKetYESL9KR1rEvxA6
OL4FmS0OxzyPO0UwXFd6qJxc6L2BaWLdhyu7Qp/WnWDFsPDdGa7J87i4WeMsNb2D
GYk+9TNV4S2QOCK1dFuARvCY74QykuthBEUHmCJUOT5fUt3NtGXjMTvBTWZUGIbg
Eqe5nfGxLB2ZcimWoYUKoYJe31/DY8lBFVPl4KVIUlcQ0RLjnE7JqbSey8ZrHZ4o
FY9ZA74ndDUjEaJpwgRVHN6FO7Sts+wDPATYZVvO3lPb0pzwGTBFPAcSiysqbiJT
njwUBWfz5e7cpXpHvCPyh0PGY6giHticXplhKsq9M/ZK1G6ZzFXbBwlACUfLGFK7
Pt4af26arAlcoapJ0PG8AXGPZLztzLVR1jaNBJ9900gIZ/OI5cmZ9n23l0viTtEf
v/8kgZ+3uv6vRb3+wrXH
=oxMp
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [SECURITY] Oracle JVM bug causes denial of service in Apache Tomcat
    ... Tomcat is affected when accessing a form based security constrained ... Work-arounds have been implemented in the following versions: ... Servlet filter, an httpd re-write rule (if Tomcat is behind an httpd ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ ...
    (Bugtraq)
  • Re: Speicherleck in Tomcat-Applikation
    ... Verwendung von Apache CXF. ... dann mit "Bisserl Bug in CXF, gefixt, viel Bug in JRE und/oder Tomcat". ... Bei mir ist es nicht mal Tomcat sondern "nur" der Loader für die Filter in unserem eigenen Mailserver mit dem ich zur Laufzeit dynamisch Filter einbinden/rausnehmen kann bzw. die Konfiguration durch wegschmeissen und neu laden updaten kann. ...
    (de.comp.lang.java)
  • Re: Configuring IIS5.0 with Tomcat5.0.28
    ... Seems like your IIS configuration is OK (the Tomcat redirection filter is ... and Tomcat is not hardwired to port 8080 -- so I ...
    (microsoft.public.inetserver.iis)
  • Re: servlet filter buffer question
    ... It worked fine in Tomcat 4.x, but in Tomcat 5.5 it gives me ... nothing for a small amount of output, and for a large amount of output I ... I've tried setting the JSP page's buffer and autoflush to various ... What function does the filter chain do here? ...
    (comp.lang.java.programmer)
  • Re: Tomcat , filter and persistent connections
    ... > HTTP/1.1 persistent connection with Tomcat. ... > which the request is destined has a filter configured. ... > The client sends multiple requests over the same socket connection to ... > code multiple times for the different requests or will the Filter code ...
    (comp.lang.java.programmer)