Websites hosted on Apache Tomcat servers seem to be vulnerable against denial-of-service attacks, as was recently proven by security researchers and presented in Denial-of-service vulnerability puts Apache Tomcat servers at risk.
Apache Tomcat servers are widely used for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies. Apache Commons FileUpload is a stand-alone library that developers use to add file upload capability to their Java Web-based applications. It is included in Apache Tomcat versions 7 and 8 by default, so as to support the processing of mime-multipart requests. Well, this is where the denial-of-service vulnerability is located.
The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary—a string of text defined in the request headers to serve as the boundary.
Security researchers from Trustwave explain that when there are requests with a specified boundary longer than 4091 characters a vulnerable Apache Tomcat server is leeded to an endless loop and the Tomcat process ends up using all available CPU resources until stopped.
The vulnerability was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal email. The same day Apache released a security advisory, despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8. The vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released recently.
According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6, because Tomcat 6 uses Commons FileUpload as part of the Manager application, so access to that functionality is limited to authenticated administrators. Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.
Oren Hafif, a security researcher at Trustwave explained in a blog post, that servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications are vulnerable, as also Sites using Apache Commons FileUpload library older than 1.3.1. But these libraries are so commonly used that it is hard to understand that a site is vulnerable.
He released a proof-of-concept exploit written in Ruby that can be used by administrators to test if their Tomcat-hosted sites are vulnerable. So administrators and developers understand if a certain URL is vulnerable to the attack. The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement.