-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 5/27/14, 2:41 PM, Christopher Schultz wrote: > All, > > On 5/27/14, 8:46 AM, Mark Thomas wrote: >> CVE-2014-0095 Denial of Service > >> Severity: Important > >> Vendor: The Apache Software Foundation > >> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 > >> Description: A regression was introduced in revision 1519838 >> that caused AJP requests to hang if an explicit content length of >> zero was set on the request. The hanging request consumed a >> request processing thread which could lead to a denial of >> service. > >> Mitigation: Users of affected versions should apply one of the >> following mitigations - Upgrade to Apache Tomcat 8.0.5 or later >> (8.0.4 contains the fix but was not released) > > Alternate mitigation: > > SetEnvIf "Content-Length" "^0$" no-jk=1 After a bit of testing, I can see that clients will often send Content-Length: 0 for a POST request that in fact has no form data (e.g. all fields are DISABLED or there simply are no child <input> elements for a form). Beware, as this may have an adverse impact on your web application if you have used the above mitigation: Tomcat will never see these form submissions and clients will likely get a 404 error. Apologies for the bad advice. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTh28EAAoJEBzwKT+lPKRYrOEQAKkgB6psAONqCqftqjaqLCy2 uY4HgaZpp1znhpju5Lavzib/3eDMewb43ge9FlUEpkkpa1wGazej0k8rlQw1Blsd 9YdHY5/nMhyF09B3qj8pocF+V5TWq0faqsb64XntHArS29Q5/iCFchPSwGP6YlMD S4iULE61YZj5tkVT+QSJoU/Q0AhdBLyIb2gpvNHF+qrJE+EqvCY7ticuUh0YiwuM nCmszteNJb9EW+AdC6rbeAxT7QlZcE2krLWNjf75NZOP42+GlRnBi2BuP/v/FSAV h8XNxFw/361/mGgeZG0olE+Dniv/4BY5JXX7CoSj0oYtn3UzabVY9WoUSqlMoKUB 1NXQRGm3+pVLSKtf1EJCnH2MJP2MRAw4GXTlOUxZLGJqUvcYZ0ih5TJAwKE6f19n Y+jyfddKbKYTwz2Muxcj4AYFPmQnXsD6eq5R/ziAxBz3rzX8wCYw2eS+O2QGRzy0 52RnFmzDKcIaZTN5LPvGvNcmWOMQEB2+mPwjkBOXv/jb5MEqMdruqGtkeAtjRJ/a dAPdpJb8DBBIfle68AW4rhsPvIHTOc5a7wlQjyr3VOLztKfaI8dOZD0jM0LN/mwH 3Be7/zBCnNuN4UpzBCZPfQRHKBRReAUfNepIBZA4yOpTqMhk1SJlqlNQ/u2tPFVZ ihkIIQrRyi5jb3CUrDNq =aNQ4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
