Detalji

Kod poslužitelja Apache Tomcat uočena je sigurnosna nepravilnost koja može uzrokovati izvođenje DoS napada. Nepravilnost je posljedica rada komponente JVM, a uočena je prilikom poziva funkcija "javax.servlet.ServletRequest.getLocale()" ili "javax.servlet.ServletRequest.getLocales()". Ukoliko udaljeni napadač podmetne posebno oblikovan zahtjev, može izvesti napad uskraćivanja usluge (eng. Denial of Service) na ranjivom sustavu. Korisnicima se savjetuje instalacija dostupnih programskih nadogradnji.

Apache Tomcat JVM Request Remote Denial of Service Vulnerability

VUPEN ID 	VUPEN/ADV-2011-0294
CVE ID 	GENERIC-MAP-NOMATCH
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Moderate Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-02-07
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A vulnerability has been identified in Apache Tomcat, which could be exploited by remote attackers to cause a denial of service. This issue is caused by an error in JVM when calling "javax.servlet.ServletRequest.getLocale()" or "javax.servlet.ServletRequest.getLocales()", which could be exploited by remote attackers to create a denial of service condition via a specially crafted request.

Affected Products

Apache Tomcat versions 7.x
Apache Tomcat versions 6.x
Apache Tomcat versions 5.x

Solution 

Apply the workaround patch for Apache Tomcat 7.x :
http://svn.apache.org/viewvc?rev=1066244&view=rev

Apply the workaround patch for Apache Tomcat 6.x :
http://svn.apache.org/viewvc?rev=1066315&view=rev

Apply the workaround patch for Apache Tomcat 5.x :
http://svn.apache.org/viewvc?rev=1066318&view=rev

References

http://www.vupen.com/english/advisories/2011/0294
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

Credits 

Vulnerability reported by the vendor.

Changelog 

2011-02-07 : Initial release

Idi na vrh