Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 735
Alerts This Week
Warning Icon 1 735

Scientific Linux: CVE-2011-4858 Moderate: tomcat6 CPU Usage Mitigation

Scientific Large Esm H446
Moderate: tomcat6 security update
Date: Wed, 11 Apr 2012 15:28:30 -0500
Reply-To: This email address is being protected from spambots. You need JavaScript enabled to view it.
Sender: Security Errata for Scientific Linux
 
From: Patrick Riehecky 
Subject: Security ERRATA Moderate: tomcat6 on SL6.x
Comments: To: This email address is being protected from spambots. You need JavaScript enabled to view it.

Synopsis: Moderate: tomcat6 security update
Issue Date: 2012-04-11
CVE Numbers: CVE-2011-4858
 CVE-2012-0022

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was found that the Java hashCode() method implementation was susceptible
to predictable hash collisions. A remote attacker could use this flaw to
cause Tomcat to use an excessive amount of CPU time by sending an HTTP
request with a large number of parameters whose names map to the same hash
value. This update introduces a limit on the number of parameters processed
per request to mitigate this issue. The default limit is 512 for
parameters and 128 for headers. These defaults can be changed by setting
the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and
large parameter values efficiently. A remote attacker could make Tomcat
use an excessive amount of CPU time by sending an HTTP request containing a
large number of parameters or large parameter values. This update
introduces limits on the number of parameters and headers processed per
request to address this issue. Refer to the CVE-2011-4858 description for
information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

Users of Tomcat should upgrade to these updated packages, which correct
these issues. Tomcat must be restarted for this update to take effect.

SL6:
 noarch
 tomcat6-6.0.24-36.el6_2.noarch.rpm
 tomcat6-admin-webapps-6.0.24-36.el6_2.noarch.rpm
 tomcat6-docs-webapp-6.0.24-36.el6_2.noarch.rpm
 tomcat6-el-2.1-api-6.0.24-36.el6_2.noarch.rpm
 tomcat6-javadoc-6.0.24-36.el6_2.noarch.rpm
 tomcat6-jsp-2.1-api-6.0.24-36.el6_2.noarch.rpm
 tomcat6-lib-6.0.24-36.el6_2.noarch.rpm
 tomcat6-servlet-2.5-api-6.0.24-36.el6_2.noarch.rpm
 tomcat6-webapps-6.0.24-36.el6_2.noarch.rpm

- Scientific Linux Development Team