Having not heard anything from this list about my question, I emailed [EMAIL PROTECTED] In case anyone wonders about this bug in the future, here's the answer.
-Josh -----Original Message----- From: Remy Maucherat [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 29, 2002 5:01 AM To: [EMAIL PROTECTED] Subject: Re: Tomcat Denial of Service attack Josh Schroeder wrote: > To whom it may concern, > > I saw this on bugtraq (full text included below): > http://online.securityfocus.com/archive/1/277940 > > It states a vulnerability when Tomcat 4.0.3 on Wink 2K/NT is sent a large > amount of null characters. > > The document states that the issue is resolved in 4.1.3 beta. > > Is it resolved in 4.0.4 as well? I failed to find a place where an actual exploit would be detailed, so I don't know for sure if it is fixed in 4.0.4. Some similar DOS issues were fixed in 4.0.4, though. Remy --- Josh Schroeder <[EMAIL PROTECTED]> wrote: > Hi all, > > I'm deploying Tomcat 4.0.4 stand-alone (no Apache) > in > a production environment and came across the bug > included below on Bugtraq. Basically, it says Tomcat > 4.0.3 is vulnerable to a DoS attack based on sending > a > bunch of bad requests with "null characters" that > hang > all the processing threads. > > The report says this bug is was found in 4.0.3 in > late > May and confirmed fixed in the 4.1.3 beta in early > June. > > What I would like to know is if this bug is fixed in > 4.0.4 as well, since I can't deploy beta code to a > production server. I've done a bit of research and > can't seem to find the answer on the web or in the > release notes. > > Thanks for any help! > > -Josh > > -------------------------- > -------------------------------------------------------------------- > > Title: Apache Tomcat Denial of Service > > BUG-ID: 2002025 > Released: 20th Jun 2002 > -------------------------------------------------------------------- > > Problem: > ======== > A malicious user could tie up all 75 working threads > and cause a > Denial of Service situation. > > > Vulnerable: > =========== > - Apache Tomcat 4.0.3 on Windows 2000 Server > > > Not Vulnerable: > =============== > - Apache Tomcat 4.1.3 beta on Windows 2000 Server > > > Details: > ======== > By sending a large amount of null characters to the > web service > it is possible to cause a working thread to hang. > The > default > installation has 75 working threads, which means > this > malformed > request has to be sent to the server 75 times. > > > Vendor URL: > =========== > You can visit the vendor webpage here: > http://jakarta.apache.org > > > Vendor Response: > ================ > This was reported to the vendor on the 23rd of May, > 2002. We > never heard back from the vendor. On the 10th of > June, > 2002, the > issue was confirmed fixed in the latest build. > > > Corrective action: > ================== > Upgrade to V4.1.3 beta, which is available here (URL > is wrapped): > > "http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release > /v4.1.3-beta/" > > > Author: Peter Gr�ndl ([EMAIL PROTECTED]) > > -------------------------------------------------------------------- > KPMG is not responsible for the misuse of the > information we provide > through our security advisories. These advisories > are > a service to > the professional security community. In no event > shall > KPMG be lia- > ble for any consequences whatsoever arising out of > or > in connection > with the use or spread of this information. > -------------------------------------------------------------------- > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
