PublicDateAtUSN: 2015-06-07 Candidate: CVE-2014-0230 PublicDate: 2015-06-07 23:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0230 https://ubuntu.com/security/notices/USN-2655-1 https://ubuntu.com/security/notices/USN-2654-1 Description: Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. Ubuntu-Description: It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause a limited denial of service. Notes: mdeslaur> ASF says this is a low severity issue that, unlike the original mdeslaur> description, can't cause memory consumption, only a limited mdeslaur> denial of service. mdeslaur> http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E Bugs: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785316 Priority: low Discovered-by: Assigned-to: mdeslaur CVSS: Patches_tomcat6: upstream: https://svn.apache.org/viewvc?view=revision&revision=1659537 upstream_tomcat6: needed lucid_tomcat6: ignored (reached end-of-life) precise_tomcat6: released (6.0.35-1ubuntu3.6) precise/esm_tomcat6: released (6.0.35-1ubuntu3.6) trusty_tomcat6: released (6.0.39-1ubuntu0.1) trusty/esm_tomcat6: released (6.0.39-1ubuntu0.1) utopic_tomcat6: ignored (reached end-of-life) vivid_tomcat6: ignored (reached end-of-life) vivid/stable-phone-overlay_tomcat6: DNE vivid/ubuntu-core_tomcat6: DNE wily_tomcat6: ignored (reached end-of-life) xenial_tomcat6: released (6.0.45+dfsg-1) yakkety_tomcat6: DNE zesty_tomcat6: DNE artful_tomcat6: DNE bionic_tomcat6: DNE devel_tomcat6: DNE Patches_tomcat7: upstream: https://svn.apache.org/viewvc?view=revision&revision=1603781 upstream_tomcat7: needed lucid_tomcat7: DNE precise_tomcat7: ignored (reached end-of-life) precise/esm_tomcat7: DNE (precise was needed) trusty_tomcat7: released (7.0.52-1ubuntu0.3) trusty/esm_tomcat7: released (7.0.52-1ubuntu0.3) utopic_tomcat7: not-affected (7.0.55-1) vivid_tomcat7: not-affected (7.0.56-2) vivid/stable-phone-overlay_tomcat7: DNE vivid/ubuntu-core_tomcat7: DNE wily_tomcat7: not-affected (7.0.56-2) xenial_tomcat7: not-affected (7.0.56-2) yakkety_tomcat7: not-affected (7.0.56-2) zesty_tomcat7: not-affected (7.0.56-2) artful_tomcat7: not-affected (7.0.56-2) bionic_tomcat7: not-affected (7.0.56-2) devel_tomcat7: not-affected (7.0.56-2) Patches_tomcat8: upstream_tomcat8: needed lucid_tomcat8: DNE precise_tomcat8: DNE precise/esm_tomcat8: DNE trusty_tomcat8: DNE trusty/esm_tomcat8: DNE utopic_tomcat8: not-affected (8.0.9-1) vivid_tomcat8: not-affected (8.0.14-1) vivid/stable-phone-overlay_tomcat8: DNE vivid/ubuntu-core_tomcat8: DNE wily_tomcat8: not-affected (8.0.14-1) xenial_tomcat8: not-affected (8.0.14-1) esm-infra/xenial_tomcat8: not-affected (8.0.14-1) yakkety_tomcat8: not-affected (8.0.14-1) zesty_tomcat8: not-affected (8.0.14-1) artful_tomcat8: not-affected (8.0.14-1) bionic_tomcat8: not-affected (8.0.14-1) devel_tomcat8: not-affected (8.0.14-1)