Apache Tomcat: Update to Deny DoS

Wednesday, January 18, 2012 @ 03:01 PM gHale

Apache Tomcat developers are advising users of the 7.0.x, 6.0.x and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35 and 5.5.35 because there are inefficiencies in how it handles large numbers of parameters and parameter values.

Analysis of the recent hash collision denial-of-service (DoS) vulnerability had allowed the developers to identify “unrelated inefficiencies” which specially crafted request could exploit causing it to consume large amounts of CPU.

Hash Flaw Allows DoS Attacks
Security Holes Threaten Mobile Phones
SCADA Security Alert: Mobile Workers
Breach: More SCADA System Holes

To address the issue, the developers modified the code to efficiently process large numbers of parameters and values.

The project has been quietly releasing the fixes to the Tomcat code; 7.0.23 appeared at the end of November 2011 and 6.0.35 arrived at the start of December.

Now they have released an update to the last of the currently supported versions, 5.5.35, the developers have published their advisory.

Users who have yet not updated can download version 7.0.23, version 6.0.35 and version 5.5.35 from the Apache Tomcat site.

Leave a Reply

You must be logged in to post a comment.