Software Development

Apache Tomcat and Denial-of-service vulnerability

Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk.

Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers use to add file upload capability to their Java Web-based applications. It is included in Apache Tomcat versions 7 and 8 by default, so as to support the processing of mime-multipart requests. Well, this is where the denial-of-service vulnerability is located.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary—a string of text defined in the request headers to serve as the boundary.

Security researchers from Trustwave explain that when there are requests with a specified boundary longer than 4091 characters a vulnerable Apache Tomcat server is leeded to an endless loop and the Tomcat process ends up using all available CPU resources until stopped.

The vulnerability was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal email. The same day Apache released a security advisory, despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8. The vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released recently.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6, because Tomcat 6 uses Commons FileUpload as part of the Manager application, so access to that functionality is limited to authenticated administrators. Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Oren Hafif, a security researcher at Trustwave explained in a blog post, that servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications are vulnerable, as also Sites using Apache Commons FileUpload library older than 1.3.1. But these libraries are so commonly used that it is hard to understand that a site is vulnerable.

He released a proof-of-concept exploit written in Ruby that can be used by administrators to test if their Tomcat-hosted sites are vulnerable. So administrators and developers understand if a certain URL is vulnerable to the attack. The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement.

Theodora Fragkouli

Theodora has graduated from Computer Engineering and Informatics Department in the University of Patras. She also holds a Master degree in Economics from the National and Technical University of Athens. During her studies she has been involved with a large number of projects ranging from programming and software engineering to telecommunications, hardware design and analysis. She works as a junior Software Engineer in the telecommunications sector where she is mainly involved with projects based on Java and Big Data technologies.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
Mark Thomas
Mark Thomas
10 years ago

Just an update that Apache Tomcat 7.0.52 that includes the fix for CVE-2014-0050 was released on 17 Feb 2014.

Back to top button