Bugzilla – Bug 791679
VUL-0: CVE-2012-5568: tomcat: affected by slowloris DoS
Last modified: 2014-07-17 09:43:24 UTC
Apparently, tomcat is affected by the Slowloris DoS attack tool. Also check here: https://bugzilla.redhat.com/show_bug.cgi?id=880011
reference: bnc#738855 We have a complete backport of mod_reqtimeout. The protection is enabled upon fresh installation of the update package in SLE11-SP1 or SP2. Upon update from the SP1-vanilla or update package from SP1 channel, the module must be enabled by the admin. The default values given in the module work quite nicely. Just interested: Is there any way for tomcat to actually do something about this problem? My understanding is that tomcat has no or not sufficiently adequate information about how requests reach the servlet, or it is not design objective of the tomcat module to know. Thanks, Roman.
bugbot adjusting priority
Well there is the connectionTimeout/keepAliveTimeout[1][2], which is recommended in the RedHat bug. The default value is 60s for both. We ship tomcat with following setting 20000 (20s) for port 8080 protocol HTTP/1.1 60000 (60s) for port 8009 protocol AJP/1.3 BTW: tomcat5 have unlimited valued in server-minimal.xml I would say as our default installation does not connect to port 80, there is no need to fix anything in a package, just give the hint for admins, which have configured it for port 80. I'd bet in most of the cases tomcat is connected with httpd through ajp protocol, so is not exposed to the outside, so the risc is very low. Adding jrenner for SUSE Manager and crajesh for iManager to CC, to make them informed about it. [1] http://tomcat.apache.org/tomcat-5.5-doc/config/http.html [2] http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
Agreed.
@security-team: which kind of documentation will be sufficient then?
ping
I think an entry in README.SuSE might suffice.
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/144552 Maintenance /
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/144937 Maintenance /
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/144949 Maintenance /
submitted, see https://bugzilla.novell.com/show_bug.cgi?id=791426#c11
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/144953 Maintenance /
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/144989 Maintenance / https://build.opensuse.org/request/show/144990 Maintenance /
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/145902 Maintenance /
openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 789406,791423,791424,791426,791679,793391,793394 CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887 Sources used: openSUSE 12.1 (src): libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1
openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 779538,789406,791423,791424,791426,791679,793391,793394 CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887 Sources used: openSUSE 12.2 (src): tomcat-7.0.27-2.9.1
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP1-TERADATA (x86_64) SUSE-MANAGER 1.2 (x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
released
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
This is an autogenerated message for OBS integration: This bug (791679) was mentioned in https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6