Apache Tomcat version older than 7.0.23
Description
Apache Tomcat versions 7.0.0 through 7.0.22 contain a denial of service vulnerability (CVE-2012-0022) caused by inefficient processing of HTTP requests with large numbers of parameters. When handling requests containing excessive parameters or parameter values, Tomcat consumes significant CPU resources due to algorithmic inefficiencies in its parameter parsing logic. This vulnerability is distinct from but was discovered during analysis of hash collision attacks, and allows remote attackers to exhaust server resources without authentication.
Remediation
Upgrade Apache Tomcat to version 7.0.23 or later, which includes improved parameter handling code that efficiently processes large numbers of parameters and parameter values.
Remediation Steps:
- Download Apache Tomcat 7.0.23 or the latest stable version from the official Apache Tomcat website
- Back up your current Tomcat installation and all deployed applications
- Stop the running Tomcat service
- Replace the Tomcat binaries with the updated version, preserving your configuration files (server.xml, web.xml, context.xml)
- Review the changelog for any configuration changes required between versions
- Restart Tomcat and verify that all applications function correctly
- Monitor server logs for any errors during startup
As a temporary mitigation if immediate upgrade is not possible, consider implementing rate limiting or request filtering at the web server or firewall level to restrict requests with abnormally large numbers of parameters.