Otkrivena je sigurnosna ranjivost u radu programskog paketa Apache Tomcat. Riječ je o besplatnom poslužitelju web aplikacija namijenjenom Java Servlet i JavaServer Pages tehnologijama. Ranjivost je uzrokovana pogreškom u NIO povezniku (eng. connector), a očituje se prilikom obrade pojedinih zahtjeva. Udaljeni, zlonamjerni korisnik ju može iskoristiti za izvođenje napada uskraćivanjem usluge (eng. Denial of Service). Budući da su dostupne nove inačice u kojima je spomenuta ranjivost otklonjena, korisnicima se preporuča njihova instalacija.

Apache Tomcat NIO Connector Remote Denial of Service Vulnerability

VUPEN ID 	VUPEN/ADV-2011-0293
CVE ID 	CVE-2011-0534
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Moderate Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-02-07
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A vulnerability has been identified in Apache Tomcat, which could be exploited by remote attackers to cause a denial of service. This issue is caused by an error in the NIO connector during request line processing, which could be exploited by remote attackers to crash a vulnerable server, creating a denial of service condition.

Affected Products

Apache Tomcat versions 7.0.0 through 7.0.6
Apache Tomcat versions 6.0.0 through 6.0.30

Solution 

Upgrade to Apache Tomcat version 7.0.8 or 6.0.32 :
http://archive.apache.org/dist/tomcat

References

http://www.vupen.com/english/advisories/2011/0293
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html

Credits 

Vulnerability reported by the vendor.

Changelog 

2011-02-07 : Initial release