Proof-of-concept exploit code is available for a vulnerability that allows attackers to launch denial-of-service (DoS) attacks against websites hosted on Apache Tomcat servers.
Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies.
The new DoS vulnerability is in the Apache Commons FileUpload, a stand-alone library developers can use to add file upload capability to their Java Web-based applications. This library is in Apache Tomcat versions 7 and 8 in by default in order to support the processing of mime-multipart requests.
The multipart content type also comes into play when an HTTP request needs to include different sets of data in its body. The different data sets end up separated by an encapsulation boundary — a string of text defined in the request headers to serve as the boundary.
Requests with a specified boundary longer than 4091 characters will force vulnerable Apache Tomcat servers into an endless loop, said security researchers from Trustwave. As a result, the Tomcat process will end up using all available CPU resources until it stops.
The vulnerability, tracked as CVE-2014-0050, ended up reported responsibly to the Apache Software Foundation Feb. 4, but accidentally made it out to the public two days later because of an error in addressing an internal email. This prompted Apache to release a security advisory the same day despite the absence of patched versions for Commons FileUpload or Tomcat 7 and 8.
Since then, officials fixed the vulnerability in Commons FileUpload version 1.3.1 that released on Feb. 7 and a beta version of Tomcat 8.0.3 released last Tuesday. It also should come out in Apache Tomcat 7.0.51, but this version of the server has yet to release.
According to Apache, the risk from this vulnerability is lower on older servers running Tomcat 6. “While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators,” Apache said in its advisory.
Code patches are available in the SVN repositories for Commons FileUpload, Tomcat 8 and Tomcat 7, but they need manual application.
Servers running Apache Tomcat 7.0 to 7.0.50 or 8.0 to 8.0.1 and hosting sites that utilize Servlet 3.0 specifications — for example “request.getPart” or “request.getParts” methods — are vulnerable, said Oren Hafif, a security researcher at Trustwave, in a blog post. Sites using Apache Commons FileUpload library older than 1.3.1 are also vulnerable, he said.
The researcher released a proof-of-concept exploit written in Ruby that administrators can use in their quality assurance or staging environments to test if their Tomcat-hosted sites are vulnerable.