CVE-2014-0230

Published: 07 June 2015

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

From the Ubuntu security team

It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause a limited denial of service.

Priority

Low

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (6.0.45+dfsg-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (6.0.39-1ubuntu0.1)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1659537
tomcat7
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.56-2)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(7.0.56-2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.3)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1603781
tomcat8
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.14-1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(8.0.14-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
ASF says this is a low severity issue that, unlike the original
description, can't cause memory consumption, only a limited
denial of service.
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E

References

Bugs