#VU64510 Input validation error in Apache Tomcat - CVE-2012-3544
Vulnerability identifier: #VU64510
Vulnerability risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache Tomcat
Server applications /
Web servers
Vendor: Apache Foundation
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack by streaming data.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Apache Tomcat: 6.0.0 - 6.0.36, 7.0.0 - 7.0.29
External links
https://archives.neohapsis.com/archives/bugtraq/2013-05/0042.html
https://seclists.org/fulldisclosure/2014/Dec/23
https://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java?r1=1476592&r2=1476591&pathrev=1476592
https://svn.apache.org/viewvc?view=revision&revision=1378702
https://svn.apache.org/viewvc?view=revision&revision=1378921
https://svn.apache.org/viewvc?view=revision&revision=1476592
https://tomcat.apache.org/security-6.html
https://tomcat.apache.org/security-7.html
https://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
https://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
https://www.securityfocus.com/archive/1/534161/100/0/threaded
https://www.securityfocus.com/bid/59797
https://www.securityfocus.com/bid/64758
https://www.ubuntu.com/usn/USN-1841-1
https://www.vmware.com/security/advisories/VMSA-2014-0012.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
