6.4
CVSSv2

CVE-2010-2227

Published: 13/07/2010 Updated: 25/03/2019
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
VMScore: 720
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

Vulnerability Summary

Apache Tomcat 5.5.0 up to and including 5.5.29, 6.0.0 up to and including 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote malicious users to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

Affected Products

Vendor Product Versions
ApacheTomcat5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.5.7, 5.5.8, 5.5.9, 5.5.10, 5.5.11, 5.5.12, 5.5.13, 5.5.14, 5.5.15, 5.5.16, 5.5.17, 5.5.18, 5.5.19, 5.5.20, 5.5.21, 5.5.22, 5.5.23, 5.5.24, 5.5.25, 5.5.26, 5.5.27, 5.5.28, 5.5.29, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.0.16, 6.0.17, 6.0.18, 6.0.19, 6.0.20, 6.0.24, 6.0.26, 6.0.27, 7.0.0

Vendor Advisories

Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix one security issue are now available forRed Hat Developer Suite 3The Red Hat Security Response Team has rated this update as havingimportant security impact A Common Vulnerability ...
Synopsis Important: tomcat5 and tomcat6 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 and tomcat6 packages that fix one security issue are nowavailable for JBoss Enterprise Web Server 101 for Red Hat EnterpriseLinux 4 and 5The Red Hat Security Response Team has rated th ...
Synopsis Important: jbossweb security update Type/Severity Security Advisory: Important Topic An updated jbossweb package that fixes two security issues is now availablefor JBoss Enterprise Application Platform 42 and 43 for Red HatEnterprise Linux 4 and 5The Red Hat Security Response Team has rated this ...
Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix three security issues are now availablefor Red Hat Application Server v2The Red Hat Security Response Team has rated this update as havingimportant security impact Common Vulnerab ...
Debian Bug report logs - #588813 CVE-2010-2227: DoS and information disclosure Package: tomcat6; Maintainer for tomcat6 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Mon, 12 Jul 2010 15:24:01 UTC Severity: grave Tags: security Found ...
It was discovered that Tomcat incorrectly handled invalid Transfer-Encoding headers A remote attacker could send specially crafted requests containing invalid headers to the server and cause a denial of service, or possibly obtain sensitive information from other requests ...
Synopsis Important: tomcat5 security update Type/Severity Security Advisory: Important Topic Updated tomcat5 packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security impact Common Vulnerab ...
IntelligenceCenter uses a version of Tomcat that has several publicly documented vulnerabilities The most severe vulnerability allows an attacker to mount a denial of service attack or to obtain sensitive information by using a specially crafted header ...
VMSA-2011-00032 VMware Security Advisory   VMware Security Advisory Advisory ID: VMSA-2011-00032 VMware Security Advisory Synopsis: Third p ...

Metasploit Modules

Apache Tomcat Transfer-Encoding Information Disclosure and DoS

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

msf > use auxiliary/dos/http/apache_tomcat_transfer_encoding
      msf auxiliary(apache_tomcat_transfer_encoding) > show actions
            ...actions...
      msf auxiliary(apache_tomcat_transfer_encoding) > set ACTION <action-name>
      msf auxiliary(apache_tomcat_transfer_encoding) > show options
            ...show and set options...
      msf auxiliary(apache_tomcat_transfer_encoding) > run
Slowloris Denial of Service Attack

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.

msf > use auxiliary/dos/http/slowloris
msf auxiliary(slowloris) > show actions
    ...actions...
msf auxiliary(slowloris) > set ACTION < action-name >
msf auxiliary(slowloris) > show options
    ...show and set options...
msf auxiliary(slowloris) > run

References

CWE-119http://geronimo.apache.org/21x-security-report.htmlhttp://geronimo.apache.org/22x-security-report.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050207.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2010-November/050214.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlhttp://marc.info/?l=bugtraq&m=129070310906557&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://secunia.com/advisories/40813http://secunia.com/advisories/41025http://secunia.com/advisories/42079http://secunia.com/advisories/42368http://secunia.com/advisories/42454http://secunia.com/advisories/43310http://secunia.com/advisories/44183http://secunia.com/advisories/57126http://securitytracker.com/id?1024180http://support.apple.com/kb/HT5002http://svn.apache.org/viewvc?view=revision&revision=958911http://svn.apache.org/viewvc?view=revision&revision=958977http://svn.apache.org/viewvc?view=revision&revision=959428http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://tomcat.apache.org/security-7.htmlhttp://www.debian.org/security/2011/dsa-2207http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.mandriva.com/security/advisories?name=MDVSA-2010:177http://www.novell.com/support/viewContent.do?externalId=7007274http://www.novell.com/support/viewContent.do?externalId=7007275http://www.redhat.com/support/errata/RHSA-2010-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0581.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0582.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0583.htmlhttp://www.securityfocus.com/archive/1/512272/100/0/threadedhttp://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.securityfocus.com/bid/41544http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttp://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlhttp://www.vupen.com/english/advisories/2010/1986http://www.vupen.com/english/advisories/2010/2868http://www.vupen.com/english/advisories/2010/3056https://exchange.xforce.ibmcloud.com/vulnerabilities/60264https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18532https://access.redhat.com/errata/RHSA-2010:0583https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2010-0583http://tools.cisco.com/security/center/viewAlert.x?alertId=20865https://usn.ubuntu.com/976-1/https://nvd.nist.gov