-----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Wednesday, June 12, 2013 11:56 AM To: Tomcat Users List Subject: Re: is tomcat 6.0.35 vulnerable to CVE-2007-6750? > >Brandon, > >On 6/12/13 11:33 AM, Brandon McCombs wrote: >> I don't know if this is the correct list but it seem to be the best >> one. >> >> I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable >> (and if so, was it fixed and in which version?) to the issue >> identified in CVE-2007-6750? > >Note that, officially, CVE-2007-6750 is against Apache httpd, and no other >product. Technically, CVE-2007-6750 cannot be applied to Tomcat. > >On the other hand, the technique used for a DOS (Slowloris) can definitely be >used to DOS Tomcat under certain configurations. >Technically, this is tracked via a separate CVE issue: >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568 (which you should >have found from RedHat's Bugzilla entry). > > Hi Chris
Yeah I found it. I don't think I noticed I had found it when I clicked on that entry in my Google search results. I just saw CVE-2007-6750 listed in the short excerpt and clicked on it. The bugzilla url I listed below is actually from that CVE page for 5568. > >To (partially) mitigate Slowloris, use the NIO connector with an appropriate >connectionTimeout configured. > >> "The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a >> denial of service (daemon outage) via partial HTTP requests, as >> demonstrated by Slowloris, related to the lack of the mod_reqtimeout >> module in versions before 2.2.15." >> >> I found a single statement on >> https://bugzilla.redhat.com/show_bug.cgi?id=880011 that says Tomcat is >> affected but I haven't found any published fix from RH or any >> confirmation on tomcat.apache.org website. > >http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat > >You are looking for CVE-2012-5568. I remember reading the description for 5568 on the security-7.html page but since I didn't know (or notice) that was the one that was specific to tomcat for the general 6750 issue I didn't put 2 and 2 together. So it seems that although there is a chance of Tomcat being vulnerable it isn't a sufficiently large risk to warrant being addressed and is in fact categorized as a low risk. So that's good enough for me. Thank you sir. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
