Home » Software Development » Apache Tomcat and Denial-of-service vulnerability

About Theodora Fragkouli

Theodora Fragkouli
Theodora has graduated from Computer Engineering and Informatics Department in the University of Patras. She also holds a Master degree in Economics from the National and Technical University of Athens. During her studies she has been involved with a large number of projects ranging from programming and software engineering to telecommunications, hardware design and analysis. She works as a junior Software Engineer in the telecommunications sector where she is mainly involved with projects based on Java and Big Data technologies.

Apache Tomcat and Denial-of-service vulnerability

Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk.

Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers use to add file upload capability to their Java Web-based applications. It is included in Apache Tomcat versions 7 and 8 by default, so as to support the processing of mime-multipart requests. Well, this is where the denial-of-service vulnerability is located.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary—a string of text defined in the request headers to serve as the boundary.

Security researchers from Trustwave explain that when there are requests with a specified boundary longer than 4091 characters a vulnerable Apache Tomcat server is leeded to an endless loop and the Tomcat process ends up using all available CPU resources until stopped.

The vulnerability was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal email. The same day Apache released a security advisory, despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8. The vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released recently.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6, because Tomcat 6 uses Commons FileUpload as part of the Manager application, so access to that functionality is limited to authenticated administrators. Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Oren Hafif, a security researcher at Trustwave explained in a blog post, that servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications are vulnerable, as also Sites using Apache Commons FileUpload library older than 1.3.1. But these libraries are so commonly used that it is hard to understand that a site is vulnerable.

He released a proof-of-concept exploit written in Ruby that can be used by administrators to test if their Tomcat-hosted sites are vulnerable. So administrators and developers understand if a certain URL is vulnerable to the attack. The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you our best selling eBooks for FREE!

1. JPA Mini Book

2. JVM Troubleshooting Guide

3. JUnit Tutorial for Unit Testing

4. Java Annotations Tutorial

5. Java Interview Questions

6. Spring Interview Questions

7. Android UI Design

and many more ....

One comment

  1. Just an update that Apache Tomcat 7.0.52 that includes the fix for CVE-2014-0050 was released on 17 Feb 2014.

Leave a Reply

Your email address will not be published. Required fields are marked *

*


− 7 = two

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Do you want to know how to develop your skillset and become a ...

Subscribe to our newsletter to start Rocking right now!

To get you started we give you our best selling eBooks for FREE!
Get ready to Rock!
To download the books, please verify your email address by following the instructions found on the email we just sent you.

THANK YOU!

Close