Menu
Denial-of-service vulnerability puts Apache Tomcat servers at risk

Denial-of-service vulnerability puts Apache Tomcat servers at risk

Attackers can cause Tomcat processes to use all available CPU resources by sending malformed HTTP requests

Security researchers published a proof-of-concept exploit for a recently disclosed vulnerability that allows attackers to launch denial-of-service attacks against websites hosted on Apache Tomcat servers.

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.

The new denial-of-service vulnerability is located in Apache Commons FileUpload, a stand-alone library that developers can use to add file upload capability to their Java Web-based applications. This library is also included by default in Apache Tomcat versions 7 and 8 in order to support the processing of mime-multipart requests.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary -- a string of text defined in the request headers to serve as the boundary.

According to security researchers from Trustwave, requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop. As a result, the Tomcat process will end up using all available CPU resources until it is stopped.

The vulnerability, which is being tracked as CVE-2014-0050, was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal e-mail. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.

Since then, the vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released yesterday. It's also scheduled to be addressed in Apache Tomcat 7.0.51, but this version of the server has yet to be released.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. "While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators," Apache said in its advisory.

Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications -- for example "request.getPart" or "request.getParts" methods -- are vulnerable, Oren Hafif, a security researcher at Trustwave, said Tuesday in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.

"To be honest, these libraries are so commonly used that you might not even know that your site is vulnerable," Hafif said.

The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.

"This can help administrators and developers understand if a certain URL is vulnerable to the attack (but needs to be tested on all URLs)," the researcher said. "The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchestrustwavesecurityExploits / vulnerabilitiesApache Software Foundation

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments