On 06/05/2015 09:14, André Warnier wrote: > Jose María Zaragoza wrote: >> 2015-05-06 0:53 GMT+02:00 Mark Thomas <ma...@apache.org>: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> CVE-2014-0230 Denial of Service >>> >>> Severity: Low >>> >>> Vendor: The Apache Software Foundation >>> >>> Versions Affected: >>> - - Apache Tomcat 8.0.0-RC1 to 8.0.8 >>> - - Apache Tomcat 7.0.0 to 7.0.54 >>> - - Apache Tomcat 6.0.0 to 6.0.43 >>> >>> Description: >>> When a response for a request with a request body is returned to the >>> user agent before the request body is fully read, by default Tomcat >>> swallows the remaining request body so that the next request on the >>> connection may be processed. >> >> >> I'm trying to understand when that behaviour is happening >> When is a response returned before the request body is fully read ? >> What happens when the remaining request body is read ? >> > > Guess for Q1 : when the original request's target is an area which > requires authentication, and the request is not ?
Yes that is one case. Generally these are error conditions. Either Tomcat or the app knows after reading the headers (and maybe the first part of the response body) exactly what the response is going to be and that the rest of the request body can be skipped. Although Tomcat ignores the remainder of the body it needs to read it as most clients don't read the response until the client has fully written the request (which means Tomcat has to read it). > Q2 : That is explained in the message : it is discarded. > It's just that it may be very large (and/or slow), and Tomcat may have a > thread busy for a while reading it to the end. Exactly. The only reason this gets classed as a DoS (and it was on the border of being/not being a vulnerability is that Tomcat didn't place any limit on how much data it would read and ignore. There are easier ways to DoS a Tomcat server than use this vector. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org