CVE-2014-0230
Published: 7 June 2015
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
From the Ubuntu Security Team
It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause a limited denial of service.
Notes
Author | Note |
---|---|
mdeslaur | ASF says this is a low severity issue that, unlike the original description, can't cause memory consumption, only a limited denial of service. http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E |
Priority
Status
Package | Release | Status |
---|---|---|
tomcat7 Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(7.0.56-2)
|
artful |
Not vulnerable
(7.0.56-2)
|
|
bionic |
Not vulnerable
(7.0.56-2)
|
|
lucid |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.3)
|
|
upstream |
Needed
|
|
utopic |
Not vulnerable
(7.0.55-1)
|
|
wily |
Not vulnerable
(7.0.56-2)
|
|
xenial |
Not vulnerable
(7.0.56-2)
|
|
yakkety |
Not vulnerable
(7.0.56-2)
|
|
zesty |
Not vulnerable
(7.0.56-2)
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1603781 |
||
tomcat8 Launchpad, Ubuntu, Debian |
vivid |
Not vulnerable
(8.0.14-1)
|
artful |
Not vulnerable
(8.0.14-1)
|
|
bionic |
Not vulnerable
(8.0.14-1)
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
utopic |
Not vulnerable
(8.0.9-1)
|
|
wily |
Not vulnerable
(8.0.14-1)
|
|
xenial |
Not vulnerable
(8.0.14-1)
|
|
yakkety |
Not vulnerable
(8.0.14-1)
|
|
zesty |
Not vulnerable
(8.0.14-1)
|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Released
(6.0.35-1ubuntu3.6)
|
|
trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
upstream |
Needed
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Released
(6.0.45+dfsg-1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1659537 |