Debian Bug report logs - #215506
tomcat4: SECURITY: DoS attack by non-http request

version graph

Package: tomcat4; Maintainer for tomcat4 is (unknown);

Reported by: Aldrin Martoq <amartoq@dcc.uchile.cl>

Date: Mon, 13 Oct 2003 06:03:05 UTC

Severity: grave

Tags: patch, security, woody

Found in version 4.0.3-3woody2

Fixed in version tomcat4/4.0.3-3woody3

Done: Stefan Gybas <sgybas@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Stefan Gybas <sgybas@debian.org>:
Bug#215506; Package tomcat4. (full text, mbox, link).


Acknowledgement sent to Aldrin Martoq <amartoq@dcc.uchile.cl>:
New Bug report received and forwarded. Copy sent to Stefan Gybas <sgybas@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Aldrin Martoq <amartoq@dcc.uchile.cl>
To: submit@bugs.debian.org
Subject: tomcat4: SECURITY: DoS attack by non-http request
Date: Mon, 13 Oct 2003 03:00:16 -0300
Package: tomcat4
Version: 4.0.3-3woody2
Severity: grave
Justification: user security hole
Tags: patch

Hi,

	Tomcat from stable has a vulnerability in the catalina's
HttProcessor.java. Sending an invalid request makes the HttpProcessor
unable to respond futher request. Because the number of HttpProcessor is
limited (75 by default), this is a very easy DoS attack.

	It can be reproduced sending a line which is not a HTTP request,
just any junk:

-----------------------------------------------------------
$ telnet 127.0.0.1 8180
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
die
^]
telnet> c
Connection closed.
-----------------------------------------------------------

which follows ...

/var/log/tomcat4/catalina_log.2003-10-13.txt---------------
2003-10-13 02:17:54 HttpProcessor[8180][4] process.parse
java.io.IOException: Couldn't read line
        at org.apache.catalina.connector.http.SocketInputStream.readRequestLine(SocketInputStream.java:235)
        at org.apache.catalina.connector.http.HttpProcessor.parseRequest(HttpProcessor.java:695)
        at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.java:959)
        at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:1107)
        at java.lang.Thread.run(Thread.java:484)
----------------------------------------------------------

	At this point, the HttProcesor #4 is dead and will not respond
more requests. Repeating the non-http request will hang all available
HttProcessors.

	It can also be reproduced using nessus scanner (from unstable)
with all attacks marked. After all HttpProcessors are exhausted, tomcat
cannot serve any more requests and must be restarted.

-----------------------------------------------------------
# grep process.parse catalina_log.2003-10-13.txt |tail -5
2003-10-13 01:36:14 HttpProcessor[8180][70] process.parse
2003-10-13 01:36:14 HttpProcessor[8180][71] process.parse
2003-10-13 01:36:14 HttpProcessor[8180][72] process.parse
2003-10-13 01:36:14 HttpProcessor[8180][73] process.parse
2003-10-13 01:36:15 HttpProcessor[8180][74] process.parse
# grep "No processor" catalina_log.2003-10-13.txt   
2003-10-13 02:33:37 HttpConnector[8180] No processor available, rejecting this connection
-----------------------------------------------------------



	We fixed locally this bug with the following patch based on
tomcat 4.1.27, it passed our test and nessus scanner. However, there are
many other possible flaws in the actual code in 4.0.3-woody2 that seems
fixed in the 4.1 series. We think it should be more sane to move
tomcat-4.1 to stable, now that 4.0 is marked obsolete by the Jakarta
Project.

Thanks in advance,

-----------------------------------------------------------
diff -r orig/tomcat4-4.0.3/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java fixed/tomcat4-4.0.3/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java
1037,1038c1037,1038
<             try {
<                 if (finishResponse) {
---
>             if (finishResponse) {
>                 try {
1039a1040,1046
>                 } catch (IOException e) {
>                     ok = false;
>                 } catch (Throwable e) {
>                     log("process.invoke", e);
>                     ok = false;
>                 }
>                 try {
1040a1048,1054
>                 } catch (IOException e) {
>                     ok = false;
>                 } catch (Throwable e) {
>                     log("process.invoke", e);
>                     ok = false;
>                 }
>                 try {
1042a1057,1058
> 		} catch (IOException e) {
>                     ok = false;
1044,1045d1059
<             } catch (IOException e) {
<                 ok = false;
1046a1061
> 
diff -r orig/tomcat4-4.0.3/catalina/src/share/org/apache/catalina/connector/http/HttpResponseStream.java fixed/tomcat4-4.0.3/catalina/src/share/org/apache/catalina/connector/http/HttpResponseStream.java
253c253
<         if (servletRequest.getMethod().equals("HEAD"))
---
>         if ("HEAD".equals(servletRequest.getMethod()))
-----------------------------------------------------------



-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux sess 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages tomcat4 depends on:
ii  adduser                    3.47          Add and remove users and groups
ii  j2re1.3 [java2-runtime]    1.3.1.02b-2   Blackdown Java(TM) 2 Runtime Envir
ii  j2sdk1.3                   1.3.1.02b-2   Blackdown Java(TM) 2 SDK, Standard
ii  java-virtual-machine-dummy 0.3           Dummy Java virtual machine
ii  libtomcat4-java            4.0.3-3woody2 Java Servlet engine -- core librar
ii  logrotate                  3.5.9-8       Log rotation utility

-- 
Aldrin
"IF A PCKT hts a pocket on a scket on a port, & da bus is int'ed as a verylast
resort, & da addr o'da mem makes y flppy dsk abort, then da scket pckt pocket
has an error 2 report!" -- Dr. Suess as a Network Wizard



Tags added: woody, security, patch Request was from Stefan Gybas <sgybas@debian.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#215506; Package tomcat4. (full text, mbox, link).


Acknowledgement sent to Stefan Gybas <sgybas@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #12 received at 215506@bugs.debian.org (full text, mbox, reply):

From: Stefan Gybas <sgybas@debian.org>
To: Aldrin Martoq <amartoq@dcc.uchile.cl>, 215506@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#215506: tomcat4: SECURITY: DoS attack by non-http request
Date: Mon, 13 Oct 2003 14:10:47 +0200
Aldrin Martoq wrote:

> 	Tomcat from stable has a vulnerability in the catalina's
> HttProcessor.java. Sending an invalid request makes the HttpProcessor
> unable to respond futher request. Because the number of HttpProcessor is
> limited (75 by default), this is a very easy DoS attack.

Thanks for this report. It seems like only the HTTP/1.1 connector in the 
org.apache.catalina.connector.http package is affected, but not the 
HTTP/1.0 connector in the org.apache.catalina.connector.http10 package 
(which is not used in the default configuration).

> 	It can be reproduced sending a line which is not a HTTP request,
> just any junk:

To actually trigger the DoS you can simply use:

for i in `seq 75`; do echo die | netcat -q 1 <hostname> 8180; done

> 	We fixed locally this bug with the following patch based on
> tomcat 4.1.27, it passed our test and nessus scanner. However, there are

Thanks a lot for the patch. I'm currently preparing a security update. 
This will then be the third update for tomcat4 since the release of 
Debian 3.0.

> many other possible flaws in the actual code in 4.0.3-woody2 that seems
> fixed in the 4.1 series. We think it should be more sane to move
> tomcat-4.1 to stable, now that 4.0 is marked obsolete by the Jakarta
> Project.

I know :-(

The security team won't accept a new upstream release for stable. 
Especially in this case, since tomcat 4.1 from unstable has a lot more 
dependencies than version 4.0 and most of them can't be satisfied in stable.

Stefan




Reply sent to Stefan Gybas <sgybas@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Aldrin Martoq <amartoq@dcc.uchile.cl>:
Bug acknowledged by developer. (full text, mbox, link).


Message #17 received at 215506-close@bugs.debian.org (full text, mbox, reply):

From: Stefan Gybas <sgybas@debian.org>
To: 215506-close@bugs.debian.org
Subject: Bug#215506: fixed in tomcat4 4.0.3-3woody3
Date: Wed, 15 Oct 2003 05:17:22 -0400
Source: tomcat4
Source-Version: 4.0.3-3woody3

We believe that the bug you reported is fixed in the latest version of
tomcat4, which is due to be installed in the Debian FTP archive:

libtomcat4-java_4.0.3-3woody3_all.deb
  to pool/contrib/t/tomcat4/libtomcat4-java_4.0.3-3woody3_all.deb
tomcat4-webapps_4.0.3-3woody3_all.deb
  to pool/contrib/t/tomcat4/tomcat4-webapps_4.0.3-3woody3_all.deb
tomcat4_4.0.3-3woody3.diff.gz
  to pool/contrib/t/tomcat4/tomcat4_4.0.3-3woody3.diff.gz
tomcat4_4.0.3-3woody3.dsc
  to pool/contrib/t/tomcat4/tomcat4_4.0.3-3woody3.dsc
tomcat4_4.0.3-3woody3_all.deb
  to pool/contrib/t/tomcat4/tomcat4_4.0.3-3woody3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 215506@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Stefan Gybas <sgybas@debian.org> (supplier of updated tomcat4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 13 Oct 2003 13:34:18 +0200
Source: tomcat4
Binary: tomcat4 tomcat4-webapps libtomcat4-java
Architecture: source all
Version: 4.0.3-3woody3
Distribution: stable-security
Urgency: high
Maintainer: Stefan Gybas <sgybas@debian.org>
Changed-By: Stefan Gybas <sgybas@debian.org>
Description: 
 libtomcat4-java - Java Servlet engine -- core libraries
 tomcat4    - Java Servlet 2.3 engine with JSP 1.2 support
 tomcat4-webapps - Java Servlet engine -- documentation and example web applications
Closes: 198226 215506
Changes: 
 tomcat4 (4.0.3-3woody3) stable-security; urgency=high
 .
   * Include a patch from Aldrin Martoq which fixes a DoS attack
     (closes: #215506)
   * Correctly start tomcat4 when booting (closes: #198226)
Files: 
 64c5aa3e586635edcd2678d10ab809d2 708 contrib/web optional tomcat4_4.0.3-3woody3.dsc
 bafcad535ede73b939b31e32be50ca9b 16223 contrib/web optional tomcat4_4.0.3-3woody3.diff.gz
 39150e4598d20ed52d49a470d2d8ce7b 126724 contrib/web optional tomcat4_4.0.3-3woody3_all.deb
 e667be7a8c67c26834069f15dd93f616 1134260 contrib/web optional libtomcat4-java_4.0.3-3woody3_all.deb
 9b3283713a2de35d7647f4b9e9820c99 1164474 contrib/web optional tomcat4-webapps_4.0.3-3woody3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/ipbVCdoSgNrrJGsRAjwcAKC1k3XLrPfLQ+Pt2PVWK/h6BeI/YQCffJGc
Dc6Y+mqH9uN7YdJKKpOaWfw=
=kcfU
-----END PGP SIGNATURE-----




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:42:00 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.