Theodora Fragkouli

About Theodora Fragkouli

Theodora has graduated from Computer Engineering and Informatics Department in the University of Patras. She also holds a Master degree in Economics from the National and Technical University of Athens. During her studies she has been involved with a large number of projects ranging from programming and software engineering to telecommunications, hardware design and analysis.

Apache Tomcat and Denial-of-service vulnerability

Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk.

Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers use to add file upload capability to their Java Web-based applications. It is included in Apache Tomcat versions 7 and 8 by default, so as to support the processing of mime-multipart requests. Well, this is where the denial-of-service vulnerability is located.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary—a string of text defined in the request headers to serve as the boundary.

Security researchers from Trustwave explain that when there are requests with a specified boundary longer than 4091 characters a vulnerable Apache Tomcat server is leeded to an endless loop and the Tomcat process ends up using all available CPU resources until stopped.

The vulnerability was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal email. The same day Apache released a security advisory, despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8. The vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released recently.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6, because Tomcat 6 uses Commons FileUpload as part of the Manager application, so access to that functionality is limited to authenticated administrators. Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Oren Hafif, a security researcher at Trustwave explained in a blog post, that servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications are vulnerable, as also Sites using Apache Commons FileUpload library older than 1.3.1. But these libraries are so commonly used that it is hard to understand that a site is vulnerable.

He released a proof-of-concept exploit written in Ruby that can be used by administrators to test if their Tomcat-hosted sites are vulnerable. So administrators and developers understand if a certain URL is vulnerable to the attack. The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement.

Related Whitepaper:

Web Application Security; How to Minimize Prevalent Risk of Attacks

Vulnerabilities in web applications are now the largest vector of enterprise security attacks.

Stories about exploits that compromise sensitive data frequently mention culprits such as cross-site scripting, SQL injection, and buffer overflow. Vulnerabilities like these fall often outside the traditional expertise of network security managers.

Get it Now!  

One Response to "Apache Tomcat and Denial-of-service vulnerability"

  1. Mark Thomas says:

    Just an update that Apache Tomcat 7.0.52 that includes the fix for CVE-2014-0050 was released on 17 Feb 2014.

Leave a Reply


− five = 4



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.

Sign up for our Newsletter

20,709 insiders are already enjoying weekly updates and complimentary whitepapers! Join them now to gain exclusive access to the latest news in the Java world, as well as insights about Android, Scala, Groovy and other related technologies.

As an extra bonus, by joining you will get our brand new e-books, published by Java Code Geeks and their JCG partners for your reading pleasure! Enter your info and stay on top of things,

  • Fresh trends
  • Cases and examples
  • Research and insights
  • Two complimentary e-books