A new Tomcat security issue has been reported that affects Tomcat versions 7.0.0 through 7.0.22, versions 6.0.0 through 6.0.33 and versions 5.5.0 through 5.5.34.
According to the Tomcat mailing lists:
According to the Tomcat mailing lists:
"CVE-2012-0022 Apache Tomcat Denial of Service
Severity: Important
Description:
Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service.
The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.23 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later
- Tomcat 5.5.x users should upgrade to 5.5.35 or later
Credit:
The inefficiencies in handling large numbers of parameters were identified by the Apache Tomcat security team.
Severity: Important
Description:
Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service.
The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.23 or later
- Tomcat 6.0.x users should upgrade to 6.0.35 or later
- Tomcat 5.5.x users should upgrade to 5.5.35 or later
Credit:
The inefficiencies in handling large numbers of parameters were identified by the Apache Tomcat security team.
