Apache Tomcat version older than 7.0.28
Description
Apache Tomcat versions 7.0.0 through 7.0.27 contain two critical denial of service vulnerabilities. CVE-2012-2733 affects the HTTP NIO connector, where request header size validation occurs too late in the parsing process, allowing attackers to trigger OutOfMemoryError conditions with specially crafted requests containing extremely large headers. CVE-2012-4534 affects the NIO connector when used with sendfile and HTTPS, where premature client disconnection during response transmission causes an infinite loop that exhausts server resources. Both vulnerabilities can be exploited remotely without authentication.
Remediation
Upgrade Apache Tomcat to version 7.0.28 or later immediately. Follow these steps:
- Download Apache Tomcat 7.0.28 or the latest stable version from the official Apache Tomcat website
- Back up your current Tomcat installation, including all configuration files and deployed applications
- Stop the running Tomcat service
- Replace the Tomcat binaries with the new version while preserving your configuration files (server.xml, web.xml, context.xml)
- Review the changelog for any configuration changes required between versions
- Test the upgraded installation in a non-production environment before deploying to production
- Start the Tomcat service and verify all applications function correctly
If immediate upgrade is not possible, consider implementing temporary mitigations such as request header size limits at the web server or load balancer level, and disabling the NIO connector if not required.