CVE-2014-0227
Published: 15 February 2015
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
From the Ubuntu Security Team
It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
lucid |
Ignored
(end of life)
|
|
precise |
Released
(6.0.35-1ubuntu3.6)
|
|
trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
upstream |
Released
(6.0.41-3)
|
|
utopic |
Ignored
(end of life)
|
|
vivid |
Ignored
(end of life)
|
|
wily |
Ignored
(end of life)
|
|
xenial |
Released
(6.0.45+dfsg-1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1476544 upstream: https://svn.apache.org/viewvc?view=revision&revision=1603628 |
||
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
lucid |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.3)
|
|
upstream |
Released
(7.0.55-1)
|
|
utopic |
Not vulnerable
(7.0.55-1)
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1601333 |
||
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
|
bionic |
Not vulnerable
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.9-1)
|
|
utopic |
Not vulnerable
(8.0.9-1)
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
yakkety |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
Patches: upstream: https://svn.apache.org/viewvc?view=revision&revision=1600984 upstream: https://svn.apache.org/viewvc?view=revision&revision=1601332 |