Apache Tomcat developers advise updates to avoid DoS
The Apache Tomcat developers are advising users of the 7.0.x, 6.0.x and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35 and 5.5.35. Recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled by Tomcat.
Analysis of the recent hash collision denial-of-service (DoS) vulnerability had allowed the developers to identify "unrelated inefficiencies" which could be exploited by a specially crafted request, causing large amounts of CPU to be consumed. To address the issue, the developers modified the code to efficiently process large numbers of parameters and values.
The project has been quietly releasing the fixes to the Tomcat code; 7.0.23 appeared at the end of November 2011 and 6.0.35 arrived at the start of December. Now that they have released an update to last of the currently supported versions, 5.5.35, the developers have published their advisory. Users who have yet not updated can download version 7.0.23, version 6.0.35 and version 5.5.35 from the Apache Tomcat site.
See also:
- CVE-2012-0022 Apache Tomcat Denial of Service, security advisory.
Editor's note: This story is a corrected version of an early story.
(djwm)