Denial-of-service vulnerability puts Apache Tomcat servers at risk

Attackers can cause Tomcat processes to use all available CPU resources by sending malformed HTTP requests

Security researchers published a proof-of-concept exploit for a recently disclosed vulnerability that allows attackers to launch denial-of-service attacks against websites hosted on Apache Tomcat servers.

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.

The new denial-of-service vulnerability is located in Apache Commons FileUpload, a stand-alone library that developers can use to add file upload capability to their Java Web-based applications. This library is also included by default in Apache Tomcat versions 7 and 8 in order to support the processing of mime-multipart requests.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary -- a string of text defined in the request headers to serve as the boundary.

According to security researchers from Trustwave, requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop. As a result, the Tomcat process will end up using all available CPU resources until it is stopped.

The vulnerability, which is being tracked as CVE-2014-0050, was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal e-mail. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.

Since then, the vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released yesterday. It's also scheduled to be addressed in Apache Tomcat 7.0.51, but this version of the server has yet to be released.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. "While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators," Apache said in its advisory.

Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications -- for example "request.getPart" or "request.getParts" methods -- are vulnerable, Oren Hafif, a security researcher at Trustwave, said Tuesday in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.

"To be honest, these libraries are so commonly used that you might not even know that your site is vulnerable," Hafif said.

The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.

"This can help administrators and developers understand if a certain URL is vulnerable to the attack (but needs to be tested on all URLs)," the researcher said. "The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement."

Tags patchestrustwavesecurityApache Software FoundationExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?