Bug 54263 - CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Summary: CVE-2012-5568 Tomcat is vulnerable to Slowloris denial of service
Alias: None
Product: Tomcat 6
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 6.0.36
Hardware: All All
: P2 normal (vote)
Target Milestone: default
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2012-12-08 00:38 UTC by M McClain
Modified: 2012-12-08 08:59 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description M McClain 2012-12-08 00:38:30 UTC
NIST lists all versions prior to 7.0.28 as vulnerable.

RedHat is also tracking this.
Comment 1 Mark Thomas 2012-12-08 08:59:53 UTC
Quoting [1]
"Note that all networked servers are subject to denial of service attacks, and we cannot promise magic workarounds to generic problems (such as a client streaming lots of data to your server, or re-requesting the same URL repeatedly). In general our philosophy is to avoid any attacks which can cause the server to consume resources in a non-linear relationship to the size of inputs."

Also, this was discussed on the users mailing list [2] many years ago.

[1] http://tomcat.apache.org/security.html
[2] http://tomcat.markmail.org/thread/7pjy3f3n3gasclih