Bug 54263

Summary: CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Product: Tomcat 6 Reporter: M McClain <mmcclain>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 6.0.36   
Target Milestone: default   
Hardware: All   
OS: All   

Description M McClain 2012-12-08 00:38:30 UTC
NIST lists all versions prior to 7.0.28 as vulnerable.

RedHat is also tracking this.
Comment 1 Mark Thomas 2012-12-08 08:59:53 UTC
Quoting [1]
"Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs."

Also, this was discussed on the users mailing list [2] many years ago.

[1] http://tomcat.apache.org/security.html
[2] http://tomcat.markmail.org/thread/7pjy3f3n3gasclih