BID:51447

Apache Tomcat Parameter Handling Denial of Service Vulnerability

Info

Apache Tomcat Parameter Handling Denial of Service Vulnerability

Bugtraq ID:	51447
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2012-0022
Remote:	Yes
Local:	No
Published:	Jan 17 2012 12:00AM
Updated:	May 23 2017 04:26PM
Credit:	Reported by the vendor
Vulnerable:	VMWare vCenter 5.0 0 VMWare vCenter 4.1 VMWare vCenter 4.0 VMWare ESX 4.1 VMWare ESX 4.0 Ubuntu Ubuntu Linux 11.10 i386 Ubuntu Ubuntu Linux 11.10 amd64 Ubuntu Ubuntu Linux 11.04 powerpc Ubuntu Ubuntu Linux 11.04 i386 Ubuntu Ubuntu Linux 11.04 ARM Ubuntu Ubuntu Linux 11.04 amd64 Ubuntu Ubuntu Linux 10.10 powerpc Ubuntu Ubuntu Linux 10.10 i386 Ubuntu Ubuntu Linux 10.10 ARM Ubuntu Ubuntu Linux 10.10 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 Sun Solaris 10 Redhat JBoss Operations Network 3.1 Redhat JBoss Enterprise Web Server for RHEL 6 1.0 Redhat JBoss Enterprise Web Server for RHEL 5 Server 1.0 Redhat JBoss Enterprise Portal Platform 4.3 CP07 Redhat JBoss Enterprise Application Platform for RHEL 6 Server 5 Redhat JBoss Enterprise Application Platform for RHEL 5 Server 5 Redhat JBoss Enterprise Application Platform for RHEL 4ES 5 Redhat JBoss Enterprise Application Platform for RHEL 4AS 5 Redhat JBoss Communications Platform 5.1.2 Redhat Enterprise Linux Workstation Optional 6 Redhat Enterprise Linux Workstation 6 Redhat Enterprise Linux Server Optional 6 Redhat Enterprise Linux Server 6 Redhat Enterprise Linux HPC Node Optional 6 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop Optional 6 Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 Server Oracle GoldenGate Veridata 3.0.0.11.0 Oracle GoldenGate Management Pack 11.1.1.1.0 Oracle GoldenGate Management Pack 0 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Oracle Enterprise Linux 5 Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Juniper Network and Security Manager (NSM) 2012.2 Juniper Network and Security Manager (NSM) 2012.1 Juniper Network and Security Manager (NSM) 2011.4 Juniper Network and Security Manager (NSM) 2010.3 IBM Storwize V7000 Unified 1.3.2 0 IBM Storwize V7000 Unified 1.3.1.0 IBM Storwize V7000 Unified 1.3.0.5 IBM Storwize V7000 Unified 1.3.0.0 HP HP-UX Web Server Suite 3.22 HP HP-UX Web Server Suite 3.21 HP HP-UX Web Server Suite 3.18 HP HP-UX Web Server Suite 3.17 HP HP-UX Web Server Suite 3.15 HP HP-UX Web Server Suite 3.14 HP HP-UX Web Server Suite 3.13 HP HP-UX Web Server Suite 3.12 HP HP-UX Web Server Suite 3.10 HP HP-UX B.11.31 HP HP-UX B.11.23 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 CTERA Networks CTERA Portal 3.1 Avaya Aura System Manager 6.2 Avaya Aura System Manager 6.1.3 Avaya Aura System Manager 6.1.2 Avaya Aura System Manager 6.1.1 Avaya Aura System Manager 6.1 SP2 Avaya Aura System Manager 6.1 Sp1 Avaya Aura System Manager 6.1 Apache Tomcat 7.0.17 Apache Tomcat 7.0.16 Apache Tomcat 7.0.15 Apache Tomcat 7.0.14 Apache Tomcat 7.0.13 Apache Tomcat 7.0.12 Apache Tomcat 7.0.9 Apache Tomcat 7.0.8 Apache Tomcat 7.0.7 Apache Tomcat 7.0.6 Apache Tomcat 7.0.4 Apache Tomcat 7.0.3 Apache Tomcat 7.0.2 Apache Tomcat 7.0.1 Apache Tomcat 6.0.35 Apache Tomcat 6.0.32 Apache Tomcat 6.0.29 Apache Tomcat 6.0.28 Apache Tomcat 6.0.27 Apache Tomcat 6.0.26 Apache Tomcat 6.0.25 Apache Tomcat 6.0.24 Apache Tomcat 6.0.20 Apache Tomcat 6.0.18 Apache Tomcat 6.0.17 Apache Tomcat 6.0.16 Apache Tomcat 6.0.15 Apache Tomcat 6.0.14 Apache Tomcat 6.0.13 Apache Tomcat 6.0.12 Apache Tomcat 6.0.11 Apache Tomcat 6.0.10 Apache Tomcat 6.0.9 Apache Tomcat 6.0.8 Apache Tomcat 6.0.7 Apache Tomcat 6.0.6 Apache Tomcat 6.0.5 Apache Tomcat 6.0.4 Apache Tomcat 6.0.3 Apache Tomcat 6.0.2 Apache Tomcat 6.0.1 Apache Tomcat 6.0 Apache Tomcat 5.5.34 Apache Tomcat 5.5.32 Apache Tomcat 5.5.30 Apache Tomcat 5.5.29 Apache Tomcat 5.5.28 Apache Tomcat 5.5.27 Apache Tomcat 5.5.26 Apache Tomcat 5.5.25 Apache Tomcat 5.5.24 Apache Tomcat 5.5.23 Apache Tomcat 5.5.22 Apache Tomcat 5.5.21 Apache Tomcat 5.5.20 Apache Tomcat 5.5.19 Apache Tomcat 5.5.18 Apache Tomcat 5.5.17 Apache Tomcat 5.5.16 Apache Tomcat 5.5.15 Apache Tomcat 5.5.14 Apache Tomcat 5.5.13 Apache Tomcat 5.5.12 Apache Tomcat 5.5.11 Apache Tomcat 5.5.10 Apache Tomcat 5.5.3 Apache Tomcat 5.5.2 Apache Tomcat 5.5.1 Apache Tomcat 5.5 Apache Tomcat 7.0.5 Apache Tomcat 7.0.22 Apache Tomcat 7.0.21 Apache Tomcat 7.0.20 Apache Tomcat 7.0.19 Apache Tomcat 7.0.18 Apache Tomcat 7.0.17 Apache Tomcat 7.0.11 Apache Tomcat 7.0.10 Apache Tomcat 6.0.32 Apache Tomcat 6.0.31 Apache Tomcat 6.0.30 Apache Tomcat 6.0.29 Apache Tomcat 6.0.19 Apache Tomcat 5.5.33 Apache Tomcat 5.5.33 Apache Tomcat 5.5.31

Not Vulnerable:	Redhat JBoss Operations Network 3.1.1 Redhat JBoss Communications Platform 5.1.3 IBM Storwize V7000 Unified 1.4 0 IBM Storwize V7000 Unified 1.3.2 3 HP HP-UX Web Server Suite 3.22 CTERA Networks CTERA Portal 3.2.28 CTERA Networks CTERA Portal 3.1.39 Apache Tomcat 7.0.23 Apache Tomcat 5.5.35 Apache Tomcat 6.0.33

Discussion

Apache Tomcat Parameter Handling Denial of Service Vulnerability

Apache Tomcat is prone to a denial-of-service vulnerability.

Attacker may leverage this issue to consume an excessive amount of CPU resources, causing a denial-of-service condition.

Exploit / POC

Apache Tomcat Parameter Handling Denial of Service Vulnerability

Currently we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Solution / Fix

Apache Tomcat Parameter Handling Denial of Service Vulnerability

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Enterprise Server 5

Mandriva tomcat5-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-admin-webapps-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-common-lib-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-jasper-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-jasper-eclipse-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-jasper-javadoc-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-jsp-2.0-api-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-jsp-2.0-api-javadoc-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-server-lib-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-servlet-2.4-api-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-servlet-2.4-api-javadoc-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

Mandriva tomcat5-webapps-5.5.28-0.5.0.4mdvmes5.2.noarch.rpm
http://www.mandriva.com/en/downloads/

References

Apache Tomcat Parameter Handling Denial of Service Vulnerability

References:

[Security-announce] VMSA-2012-0005 (VMware)
2013-11 Security Bulletin: Network and Security Manager: Apache Tomcat security (Juniper Networks)
Apache Tomcat Homepage (Apache)
CVE-2012-0022 Apache Tomcat Denial of Service (Apache Software Foundation)
HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running (HP)
Multiple vulnerabilities in CTERA Portal (SEC Consult Vulnerability Lab)
Multiple vulnerabilities in Oracle Java Web Console (Oracle)
Multiple vulnerabilities in Oracle Java Web Console1 (Oracle)
ASA-2012-158 tomcat5 security update (RHSA-2012-0474) (Avaya)
HPSBMU02747 SSRT100771 rev.1 - HP OpenView Network Node Manager (OV NNM) Running (HP)
HPSBUX02860 SSRT101146 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remot (HP)
JBoss Operations Network (Red Hat)
Oracle Critical Patch Update Advisory - January 2013 (Oracle)
Security Bulletin: Storwize V7000 Unified Update Includes Fixes for Multiple Ven (IBM)