top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

is tomcat 6.0.35 vulnerable to CVE-2007-6750?

0 votes
438 views

I don't know if this is the correct list but it seem to be the best one.

I'm trying to find evidence of whether tomcat 6.0.35 is vulnerable (and if so, was it fixed and in which version?) to the issue identified in CVE-2007-6750?

"The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15."

I found a single statement on https://bugzilla.redhat.com/show_bug.cgi?id=880011 that says Tomcat is affected but I haven't found any published fix from RH or any confirmation on tomcat.apache.org website.

Any info would be great.

posted Jun 12, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote
 
Best answer

Note that, officially, CVE-2007-6750 is against Apache httpd, and no other product. Technically, CVE-2007-6750 cannot be applied to Tomcat.

On the other hand, the technique used for a DOS (Slowloris) can definitely be used to DOS Tomcat under certain configurations. Technically, this is tracked via a separate CVE issue:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568 (which you should have found from RedHat's Bugzilla entry).

To (partially) mitigate Slowloris, use the NIO connector with an appropriate connectionTimeout configured.

confirmation on tomcat -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat

answer Jun 12, 2013 by anonymous
Similar Questions
0 votes

Upgrading from tomcat 6.0.35 to 6.0.36 causes a simple jsp page to require about 20 minutes to load.

We have two clients that are running in an IBM mainframe USS (Unix System Services) environment and when they upgraded from tomcat 6.0.35 to 6.0.36, the simple jsp page in our webapp takes up to 20 minutes to load into the web browser. We have other clients that are successfully running 6.0.36 in
the USS environment. So it is a somewhat isolated issue.

I looked over the 6.0.36 change log at
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html#Tomcat%206.0.36%20%28jfclere%29,
but nothing jumped out at me as to which change may have caused the issue.

Since I am not a tomcat expert, I am asking for help on how to diagnose this issue.

Are there certain logging options that could be enabled?

+2 votes

Does anyone knows how-to disable SSL v3 in older tomcat version, I have tried to variety solution including sslProtocols or sslEnabledProtocols but it both did not work well, the Firefox I am using to test is only select TLS 1 and result is that I were not able to access the site.

Below is the server information:

Server version: Apache Tomcat/6.0.18
Server built: Jul 22 2008 02:00:36
Server number: 6.0.18.0
OS Name: Windows 2003
OS Version: 5.2
Architecture: x86
JVM Version: 1.6.0-b105
JVM Vendor: Sun Microsystems Inc

+3 votes

I'm developing a permission system in Tomcat and I would like to restrict incoming connections per application. I mean, I want to restrict incoming connections in some applications and permit them in others.

I have tried to do it with the Security Manager (SocketPermission), but it doesn't restrict all incoming connections. And also I have tried with RemoteAddrValve and RemoteHostValve () but it restricts all connections, not only the incoming ones. I have been searching other way to do that but I couldn't find anything.

Is it possible? Could anybody help me?

+1 vote

We have a context that includes an underscore and that is unfortunately causing problems w/ a load balancer and cookie paths. Our URLs resemble this:

https://example.com/the_context/login.jsp

Where we have deployed a war file named "the_context.war".

I'd like to somehow alias the context name so both of these urls would effectively be the same:

https://example.com/the_context/login.jsp
https://example.com/thecontext/login.jsp

Ideally this would be done w/o deploying the application twice. Is this possible in Tomcat 6 and/or 7 ?

...