CVE-2012-0022

Published: 18 January 2012

Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

Notes

Author	Note
mdeslaur	upstream bug says last commit isn't in 6.0.35.

Priority

Status

Package	Release	Status
tomcat5.5 Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Does not exist
	maverick	Does not exist
	natty	Does not exist
	oneiric	Does not exist
	precise	Does not exist
	quantal	Does not exist
	upstream	Needs triage
tomcat6 Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Released (6.0.24-2ubuntu1.10)
	maverick	Released (6.0.28-2ubuntu1.6)
	natty	Released (6.0.28-10ubuntu2.3)
	oneiric	Released (6.0.32-5ubuntu1.2)
	precise	Released (6.0.35-1ubuntu1)
	quantal	Released (6.0.35-1ubuntu1)
	upstream	Needs triage
	Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1140904 (backporting) upstream: http://svn.apache.org/viewvc?view=revision&revision=1199122 (backporting) upstream: http://svn.apache.org/viewvc?view=revision&revision=1200601 upstream: http://svn.apache.org/viewvc?view=revision&revision=1206324 upstream: http://svn.apache.org/viewvc?view=revision&revision=1229027
tomcat7 Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Does not exist
	maverick	Does not exist
	natty	Does not exist
	oneiric	Released (7.0.21-1ubuntu0.1)
	precise	Not vulnerable (7.0.26-1ubuntu1)
	quantal	Not vulnerable (7.0.29-0ubuntu1)
	upstream	Released (7.0.23)

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›