-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 6/25/15 3:49 AM, Mark Thomas wrote: > On 25/06/2015 07:07, Nikitha Benny wrote: >> Hi, >> >> I am confused regarding the 2 security issues CVE-2007-6750 and >> CVE-2009-5111. >> >> Can they be tracked to CVE-2012-5568? > > All of those CVEs are essentially the same issue (slowloris) in > different products. > >> According to CVE-2012-5568, I understand that this is not a >> vulnerability in Tomcat. Please confirm. > > That depends on your point of view. > >> When Tomcat 7.0.62 was scanned using McAfee Vulnerability Manager >> Tool, it reported the below results: >> >> *>> HTTP Server Prone To Slow Denial Of Service Attack [FID >> 12824]* 5.0 Medium 10.53.137.57:80 (http) ,10.53.137.57:8081 >> (http) >> >> *>> HTTP Server Prone To Slow Denial Of Service Attack [FID >> 12824]* 5.0 Medium 10.53.137.56:80 (http) ,10.53.137.56:8081 >> (http) >> >> >> Please help me understand if this can be resolved or if this is a >> valid vulnerability. > > Read this and the referenced links. > > https://bz.apache.org/bugzilla/show_bug.cgi?id=54263 ... and of course the mitigation for Slowloris is: 1. Use a non-blocking I/O connector (NIO, NIO2) 2. Set appropriate values for the following <Connector> settings: - connectionTimeout - connectionUploadTimeout - keepAliveTimeout - maxPostSize - maxSwallowSize At some point, it may be necessary to write a Valve (or similar component) that keeps track of throughput, and aborts a connection whose throughput fails to meet some threshold. Do to that, you'd want to take into account the size of the upload and the total time taken by the request. Some clients are just slow and that's okay. But if you have client that has been tying-up a connection for 30 seconds and only sent a few bytes, kill 'em. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVjAkfAAoJEBzwKT+lPKRYNLoP+wUksaD0SZD9+s8hxHreG99v lVk9EqlVtndwxRVg/pUd2+La07+IOgyp8IWbcN8K/hgMu8wC56lCxCRHaLdQwif9 31fCosN9X+eAIQcCzT2nV3fE5VNB4W6/IXAGn5i5bgCNPcVXSuWAsn3uefNE1iFo Fir31NhWLdp7rH1F9WxN0uYxTCwYzrkJ/hxbntyonpxirPTVmlFxe/mOFbApGpdz AvHbwoToTg5Cjz2rRGUxq55PvXpb0iowi+jnf0g+DCuLekqkK72pJzFg1Wh1l8mF VIic3nV9xh7pgbtzlqwH4Jwfc0ua8Cqbbnjn9BCjmOp8oHPdoPNIvpb2Cqbh5aAt gjv7DKDbQmzeITJ8zweAqM+Q6CqbSsCuRH8SjkA/qplO3E6+k+bQdFznrhqii50w NH0V2TmPjLYLECAwpA9+djdhRSOiycS81xIvqCeE8o7skfe9NN/86kpQ9RaZbJwH SvmfKUCE9+XgMdBaHOAmd1uym+LRW/MX/MtKJfw0py3+GEhvO4zuBX2nQHe012IU iSjsx4xkTxPJbBYXzc1jJiOYPkHh1PDryebKwwYohZpGbJHwwGvH7sD7TdvzAJxs KJYCka5rSwpv6gtcIVEdkg2c3Url3e9WMieLDktk6NX8RuiUTQKR6O7lcqyqJwMB I5pWRPDaLVZGFHOnhEw/ =mOIy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
