Arch Linux ASA-201505-8 Low: Tomcat6 Remote Denial Of Service

Arch Linux Security Advisory ASA-201505-8
========================================
Severity: Low
Date    : 2015-05-13
CVE-ID  : CVE-2014-0230
Package : tomcat6
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package tomcat6 before version 6.0.44-1 is vulnerable to remote
denial of service.

Resolution
=========
Upgrade to 6.0.44-1.

# pacman -Syu "tomcat6>=6.0.44-1"

The problem has been fixed upstream in version 6.0.44.

Workaround
=========
None.

Description
==========
When a response for a request with a request body is returned to the
user agent before the request body is fully read, by default Tomcat
swallows the remaining request body so that the next request on the
connection may be processed. There was no limit to the size of request
body that Tomcat would swallow. This permitted a limited Denial of
Service as Tomcat would never close the connection and a processing
thread would remain allocated to the connection.

Impact
=====
A remote attacker can cause a denial of service by preventing a large
number of connections from being closed.

References
=========
https://access.redhat.com/security/cve/CVE-2014-0230
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44