CVE-2011-0534 Information

Description

Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.

Reference

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://osvdb.org/70809 http://secunia.com/advisories/43192 http://secunia.com/advisories/45022 http://secunia.com/advisories/57126 http://securityreason.com/securityalert/8074 http://support.apple.com/kb/HT5002 http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html http://tomcat.apache.org/security-6.htmlFixed_in_Apache_Tomcat_6.0.32 http://tomcat.apache.org/security-7.htmlFixed_in_Apache_Tomcat_7.0.8_(released_5_Feb_2011) http://www.debian.org/security/2011/dsa-2160 http://www.securityfocus.com/archive/1/516214/100/0/threaded http://www.securityfocus.com/bid/46164 http://www.securitytracker.com/id?1025027 http://www.vupen.com/english/advisories/2011/0293 https://exchange.xforce.ibmcloud.com/vulnerabilities/65162