Bug 54263 - CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Summary: CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.36
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-08 00:38 UTC by M McClain
Modified: 2012-12-08 08:59 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description M McClain 2012-12-08 00:38:30 UTC 
NIST lists all versions prior to 7.0.28 as vulnerable.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568

RedHat is also tracking this.
https://bugzilla.redhat.com/show_bug.cgi?id=880011
Comment 1 Mark Thomas 2012-12-08 08:59:53 UTC 
Quoting [1]
"Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs."

Also, this was discussed on the users mailing list [2] many years ago.

[1] http://tomcat.apache.org/security.html
[2] http://tomcat.markmail.org/thread/7pjy3f3n3gasclih