Re: [SECURITY] CVE-2014-0097 Apache Tomcat information disclosure

Tue, 27 May 2014 11:45:40 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0097 Information Disclosure
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache
> Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39
> 
> Description: The code used to parse the request content length
> header did not check for overflow in the result. This exposed a
> request smuggling vulnerability when Tomcat was located behind a
> reverse proxy that correctly processed the content length header.
> 
> Mitigation: Users of affected versions should apply one of the
> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later 
> (8.0.4 contains the fix but was not released) - Upgrade to Apache
> Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later 
> (6.0.40 contains the fix but was not released)

Alternate mitigation (for httpd):

  SetEnvIf "Content-Length" ",{10,}" no-jk=1

You can use any reasonable number in place of "10". Note that a 1GiB
Content-Length would be "1073741824" which is 10 characters, so it
would be rejected.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJThN0pAAoJEBzwKT+lPKRYsp0QAMI6viexulYScNMfgExgxxmw
IU/2GzWBxkATN1OEtRXMObqG+ODC2QkCIDNP4Dsznvi8iwlkzr+q/DwqdbisB0xS
gF2JSuNCFdVPzR/KmmgFVzMNj3SmmmIwXp9hQHOBr1H6mTd/om+DcZ2w5sRozqeG
0bC/co5ZddZIV+ObY89qBHYNpt6zLL4PC2Bz7azrB+0X27G5pyh252cFi3IiGzq6
HujnoIMqf8ddz2MTthUz0VFNTVnnZRVTIB/0hX+2sKe/9TcjEfuPxIRnrTtmVoYE
aN62jdL+Ezt34GL8MwbZRDLBgBPNCS4V8pKGwiZpq7qtAlpWJNv/IpwkTzTyHkSm
oeAZSElvQYeVD1tqRYubPXMhvmscYnntbEjBSi1QdSwrvUr1ZIq1z6xuO4hDURx7
Td/B+axvPS3AVOXTk49gxLE/BG+//ly93svfTFRELDTcOsv5am4W4jGHjMRVcDhy
TmJwXUPIpvy8kqmmzZ5hH3hc26Zj47QQxwZeGyFIAjKMklHE0StBr3qtmasEr5tv
H+lWUrBIUXD0i87qzcPNSbRMSTsQvQ27CqPUEslF2o5N/QF/CVc0aQrmcsgil790
b67hpOJ6q3qwTzeCs927qj9+GAC435OHAu9YyjBYHoYReNdVurYP00uMKg+7zL5t
3XDkBXjrLm/FTWpmLBPV
=qbxd
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to