ID CVE-2011-0534
Summary Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 09-10-2018 - 19:29)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 676922
title Additionally Created Instances of Tomcat are broken / don't work
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment tomcat6 is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335005
      • comment tomcat6 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335006
    • AND
      • comment tomcat6-admin-webapps is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335021
      • comment tomcat6-admin-webapps is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335022
    • AND
      • comment tomcat6-docs-webapp is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335019
      • comment tomcat6-docs-webapp is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335020
    • AND
      • comment tomcat6-el-2.1-api is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335023
      • comment tomcat6-el-2.1-api is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335024
    • AND
      • comment tomcat6-javadoc is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335011
      • comment tomcat6-javadoc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335012
    • AND
      • comment tomcat6-jsp-2.1-api is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335007
      • comment tomcat6-jsp-2.1-api is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335008
    • AND
      • comment tomcat6-lib is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335017
      • comment tomcat6-lib is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335018
    • AND
      • comment tomcat6-log4j is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335015
      • comment tomcat6-log4j is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335016
    • AND
      • comment tomcat6-servlet-2.5-api is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335009
      • comment tomcat6-servlet-2.5-api is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335010
    • AND
      • comment tomcat6-webapps is earlier than 0:6.0.24-24.el6_0
        oval oval:com.redhat.rhsa:tst:20110335013
      • comment tomcat6-webapps is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20110335014
rhsa
id RHSA-2011:0335
released 2011-03-09
severity Important
title RHSA-2011:0335: tomcat6 security and bug fix update (Important)
rpms
  • tomcat6-0:6.0.24-24.el6_0
  • tomcat6-admin-webapps-0:6.0.24-24.el6_0
  • tomcat6-docs-webapp-0:6.0.24-24.el6_0
  • tomcat6-el-2.1-api-0:6.0.24-24.el6_0
  • tomcat6-javadoc-0:6.0.24-24.el6_0
  • tomcat6-jsp-2.1-api-0:6.0.24-24.el6_0
  • tomcat6-lib-0:6.0.24-24.el6_0
  • tomcat6-log4j-0:6.0.24-24.el6_0
  • tomcat6-servlet-2.5-api-0:6.0.24-24.el6_0
  • tomcat6-webapps-0:6.0.24-24.el6_0
refmap via4
apple APPLE-SA-2011-10-12-3
bid 46164
bugtraq 20110205 [SECURITY] CVE-2011-0534 Apache Tomcat DoS vulnerability
confirm
debian DSA-2160
hp HPSBST02955
osvdb 70809
sectrack 1025027
secunia
  • 43192
  • 45022
  • 57126
sreason 8074
suse SUSE-SR:2011:005
vupen ADV-2011-0293
xf tomcat-nio-connector-dos(65162)
Last major update 09-10-2018 - 19:29
Published 10-02-2011 - 18:00
Back to Top