Theodora Fragkouli

About Theodora Fragkouli

Theodora has graduated from Computer Engineering and Informatics Department in the University of Patras. She also holds a Master degree in Economics from the National and Technical University of Athens. During her studies she has been involved with a large number of projects ranging from programming and software engineering to telecommunications, hardware design and analysis.

Apache Tomcat and Denial-of-service vulnerability

Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk.

Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers use to add file upload capability to their Java Web-based applications. It is included in Apache Tomcat versions 7 and 8 by default, so as to support the processing of mime-multipart requests. Well, this is where the denial-of-service vulnerability is located.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary—a string of text defined in the request headers to serve as the boundary.

Security researchers from Trustwave explain that when there are requests with a specified boundary longer than 4091 characters a vulnerable Apache Tomcat server is leeded to an endless loop and the Tomcat process ends up using all available CPU resources until stopped.

The vulnerability was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal email. The same day Apache released a security advisory, despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8. The vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released recently.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6, because Tomcat 6 uses Commons FileUpload as part of the Manager application, so access to that functionality is limited to authenticated administrators. Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Oren Hafif, a security researcher at Trustwave explained in a blog post, that servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications are vulnerable, as also Sites using Apache Commons FileUpload library older than 1.3.1. But these libraries are so commonly used that it is hard to understand that a site is vulnerable.

He released a proof-of-concept exploit written in Ruby that can be used by administrators to test if their Tomcat-hosted sites are vulnerable. So administrators and developers understand if a certain URL is vulnerable to the attack. The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

One Response to "Apache Tomcat and Denial-of-service vulnerability"

  1. Mark Thomas says:

    Just an update that Apache Tomcat 7.0.52 that includes the fix for CVE-2014-0050 was released on 17 Feb 2014.

Leave a Reply


− seven = 2



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close