CVE-2014-0230 — Uncontrolled Resource Consumption in Apache Tomcat

Description

Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

How to fix CVE-2014-0230

To remediate CVE-2014-0230, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 6.0.44 or later

Is CVE-2014-0230 being exploited?

Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.0, < 6.0.44

References (45)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0230
PATCHgithub.com/apache/tomcat
WEBmail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E
WEBmarc.info/?l=bugtraq&m=144498216801440&w=2