Bug 917127 (CVE-2014-0227) - VUL-1: CVE-2014-0227: tomcat6,tomcat5,tomcat: Limited DoS in chunked transfer encoding input filter
Summary: VUL-1: CVE-2014-0227: tomcat6,tomcat5,tomcat: Limited DoS in chunked transfer...
Status: RESOLVED FIXED
: 918195 (view as bug list)
Alias: CVE-2014-0227
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Deadline: 2016-07-29
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/113677/
Whiteboard: . CVSSv2:RedHat:CVE-2014-0227:4.3:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-02-10 14:48 UTC by Johannes Segitz
Modified: 2016-09-08 22:19 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-10 14:48:41 UTC 
rh#1109196

It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input early enough. A remote attacker could use this flaw to perform a denial of service attack, by streaming an unlimited quantity of data, leading to consumption of server resources.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1109196
https://svn.apache.org/viewvc?view=revision&revision=1603628
https://svn.apache.org/viewvc?view=revision&revision=1601333
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0227
Comment 1 Swamp Workflow Management 2015-02-10 23:00:24 UTC 
bugbot adjusting priority
Comment 7 Marcus Meissner 2015-03-05 10:21:38 UTC 
reopen for tracking
Comment 10 Swamp Workflow Management 2015-06-18 08:59:08 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-07-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62034
Comment 11 Marcus Meissner 2015-06-18 09:02:38 UTC 
Bogdan, this fix was not in your last submission (SR 60338) ... can you merge it in please and resubmit?
Comment 14 Konstantinos Tsamis 2015-07-22 12:11:34 UTC 
*** Bug 918195 has been marked as a duplicate of this bug. ***
Comment 15 Swamp Workflow Management 2015-08-03 13:09:00 UTC 
SUSE-SU-2015:1337-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 906152,917127,918195,926762,931442,932698
CVE References: CVE-2014-0227,CVE-2014-0230,CVE-2014-7810
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    tomcat6-6.0.41-0.45.1
SUSE Linux Enterprise Server 11 SP3 (src):    tomcat6-6.0.41-0.45.1
Comment 16 Swamp Workflow Management 2015-09-16 15:10:15 UTC 
SUSE-SU-2015:1565-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 906152,917127,926762,931442,932698,934219
CVE References: CVE-2014-0227,CVE-2014-0230,CVE-2014-7810
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tomcat6-6.0.41-0.47.1
Comment 17 Marcus Meissner 2015-09-16 15:30:14 UTC 
done
Comment 18 Swamp Workflow Management 2016-07-15 12:51:07 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-07-29.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62898