Denial-of-service vulnerability puts Apache Tomcat servers at risk

Attackers can cause Tomcat processes to use all available CPU resources by sending malformed HTTP requests

Security researchers published a proof-of-concept exploit for a recently disclosed vulnerability that allows attackers to launch denial-of-service attacks against websites hosted on Apache Tomcat servers.

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.

The new denial-of-service vulnerability is located in Apache Commons FileUpload, a stand-alone library that developers can use to add file upload capability to their Java Web-based applications. This library is also included by default in Apache Tomcat versions 7 and 8 in order to support the processing of mime-multipart requests.

The multipart content type is used when an HTTP request needs to include different sets of data in its body. The different data sets are separated by a so-called encapsulation boundary -- a string of text defined in the request headers to serve as the boundary.

According to security researchers from Trustwave, requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop. As a result, the Tomcat process will end up using all available CPU resources until it is stopped.

The vulnerability, which is being tracked as CVE-2014-0050, was reported responsibly to the Apache Software Foundation on Feb. 4, but was accidentally made public two days later because of an error in addressing an internal e-mail. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.

Since then, the vulnerability has been fixed in Commons FileUpload version 1.3.1 that was released on Feb. 7 and a beta version of Tomcat 8.0.3 released yesterday. It's also scheduled to be addressed in Apache Tomcat 7.0.51, but this version of the server has yet to be released.

According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. "While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators," Apache said in its advisory.

Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need to be manually applied.

Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications -- for example "request.getPart" or "request.getParts" methods -- are vulnerable, Oren Hafif, a security researcher at Trustwave, said Tuesday in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.

"To be honest, these libraries are so commonly used that you might not even know that your site is vulnerable," Hafif said.

The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.

"This can help administrators and developers understand if a certain URL is vulnerable to the attack (but needs to be tested on all URLs)," the researcher said. "The tool can also assist white-hat security professionals that are required to confirm the vulnerability throughout an engagement."

Join the Computerworld Australia group on Linkedin. The group is open to IT Directors, IT Managers, Infrastructure Managers, Network Managers, Security Managers, Communications Managers.

More about: Apache, Apache Software Foundation, Trustwave
Comments are now closed.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: patches, trustwave, security, Apache Software Foundation, Exploits / vulnerabilities
Whitepapers
All whitepapers

Queensland Police arrest man for allegedly hacking US gaming developer site

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Sign up now to get free exclusive access to reports, research and invitation only events.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia