Bug 54263 - CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Status: RESOLVED INVALID
Product: Tomcat 6
Classification: Unclassified
Component: Catalina
6.0.36
All All
: P2 normal (vote)
: default
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2012-12-08 00:38 UTC by M McClain
Modified: 2012-12-08 08:59 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description M McClain 2012-12-08 00:38:30 UTC
NIST lists all versions prior to 7.0.28 as vulnerable.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568

RedHat is also tracking this.
https://bugzilla.redhat.com/show_bug.cgi?id=880011
Comment 1 Mark Thomas 2012-12-08 08:59:53 UTC
Quoting [1]
"Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs."

Also, this was discussed on the users mailing list [2] many years ago.

[1] http://tomcat.apache.org/security.html
[2] http://tomcat.markmail.org/thread/7pjy3f3n3gasclih