Description
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Remediation
References
http://openwall.com/lists/oss-security/2015/04/10/1
http://svn.apache.org/viewvc?view=revision&revision=1603770
http://svn.apache.org/viewvc?view=revision&revision=1603779
http://tomcat.apache.org/security-6.html
http://svn.apache.org/viewvc?view=revision&revision=1603775
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.debian.org/security/2016/dsa-3530
http://rhn.redhat.com/errata/RHSA-2016-0599.html
http://rhn.redhat.com/errata/RHSA-2016-0597.html
http://rhn.redhat.com/errata/RHSA-2016-0598.html
http://rhn.redhat.com/errata/RHSA-2016-0595.html
http://rhn.redhat.com/errata/RHSA-2016-0596.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
http://marc.info/?l=bugtraq&m=145974991225029&w=2
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
http://rhn.redhat.com/errata/RHSA-2015-2661.html
https://access.redhat.com/errata/RHSA-2015:2659
https://access.redhat.com/errata/RHSA-2015:2660
https://issues.jboss.org/browse/JWS-220
https://issues.jboss.org/browse/JWS-219
http://www.debian.org/security/2016/dsa-3447
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
http://rhn.redhat.com/errata/RHSA-2015-1622.html
http://rhn.redhat.com/errata/RHSA-2015-1621.html
http://www.ubuntu.com/usn/USN-2655-1
http://www.securityfocus.com/bid/74475
http://www.ubuntu.com/usn/USN-2654-1
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2020-15125 Vulnerability in npm package auth0
CVE-2023-29203 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2021-39152 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2021-32827 Vulnerability in maven package org.mock-server:mockserver-core