Hi all, I'm deploying Tomcat 4.0.4 stand-alone (no Apache) in a production environment and came across the bug included below on Bugtraq. Basically, it says Tomcat 4.0.3 is vulnerable to a DoS attack based on sending a bunch of bad requests with "null characters" that hang all the processing threads.
The report says this bug is was found in 4.0.3 in late May and confirmed fixed in the 4.1.3 beta in early June. What I would like to know is if this bug is fixed in 4.0.4 as well, since I can't deploy beta code to a production server. I've done a bit of research and can't seem to find the answer on the web or in the release notes. Thanks for any help! -Josh -------------------------- -------------------------------------------------------------------- Title: Apache Tomcat Denial of Service BUG-ID: 2002025 Released: 20th Jun 2002 -------------------------------------------------------------------- Problem: ======== A malicious user could tie up all 75 working threads and cause a Denial of Service situation. Vulnerable: =========== - Apache Tomcat 4.0.3 on Windows 2000 Server Not Vulnerable: =============== - Apache Tomcat 4.1.3 beta on Windows 2000 Server Details: ======== By sending a large amount of null characters to the web service it is possible to cause a working thread to hang. The default installation has 75 working threads, which means this malformed request has to be sent to the server 75 times. Vendor URL: =========== You can visit the vendor webpage here: http://jakarta.apache.org Vendor Response: ================ This was reported to the vendor on the 23rd of May, 2002. We never heard back from the vendor. On the 10th of June, 2002, the issue was confirmed fixed in the latest build. Corrective action: ================== Upgrade to V4.1.3 beta, which is available here (URL is wrapped): "http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release /v4.1.3-beta/" Author: Peter Gr�ndl ([EMAIL PROTECTED]) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. -------------------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
