Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat AJP Request Processing Flaw Lets Remote Users Deny Service
SecurityTracker Alert ID:  1030300
SecurityTracker URL:
CVE Reference:   CVE-2014-0095   (Links to External Site)
Date:  May 27 2014
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.0.0-RC2 to 8.0.3
Description:   A vulnerability was reported in Apache Tomcat. A remote user can cause denial of service conditions.

A remote user can send a specially crafted Apache JServ Protocol (AJP) request with a content length of zero to cause the target process to hang and consume a request processing thread.

The vulnerability was reintroduced in revision 1519838.

Impact:   A remote user can consume a request processing thread.
Solution:   The vendor has issued a fix (8.0.5).

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 18 2015 (IBM Issues Fix for IBM Power Hardware Management Console) Apache Tomcat AJP Request Processing Flaw Lets Remote Users Deny Service
IBM has issued a fix for IBM Power Hardware Management Console.

 Source Message Contents

Subject:  [FD] [SECURITY] CVE-2014-0095 Apache Tomcat denial of service

CVE-2014-0095 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC2 to 8.0.3

A regression was introduced in  revision 1519838 that caused AJP
requests to hang if an explicit content length of zero was set on the
request. The hanging request consumed a request processing thread which
could lead to a denial of service.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)

This issue was reported as a possible bug via the Tomcat users mailing
list and the security implications were identified by theTomcat security


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC