It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat and JBoss Web processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | tomcat6 | 2014-05-21 10:45 | ALAS-2014-344 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |