Tomcat 全系报 DoS 拒绝服务和信息暴露漏洞,包括:CVE-2014-0075 Denial of ServiceSeverity: ImportantVendor: The Apache Software FoundationVersions Affected:- Apache Tomcat 8.0.0-RC1 to 8.0.3- Apache Tomcat 7.0.0 to 7.0.52- Apache Tomcat 6.0.0 to 6.0.39Description:It was possible to craft a malformed chunk size as part of a chuckedrequest that enabled an unlimited amount of data to be streamed to theserver, bypassing the various size limits enforced on a request. Thisenabled a denial of service attack.Mitigation:Users of affected versions should apply one of the following mitigations- Upgrade to Apache Tomcat 8.0.5 or later(8.0.4 contains the fix but was not released)- Upgrade to Apache Tomcat 7.0.53 or later- Upgrade to Apache Tomcat 6.0.41 or later(6.0.40 contains the fix but was not released)CVE-2014-0095 Denial of ServiceSeverity: ImportantVendor: The Apache Software FoundationVersions Affected:- Apache Tomcat 8.0.0-RC2 to 8.0.3Description:A regression was introduced inrevision 1519838 that caused AJPrequests to hang if an explicit content length of zero was set on therequest. The hanging request consumed a request processing thread whichcould lead to a denial of service.Mitigation:Users of affected versions should apply one of the following mitigations- Upgrade to Apache Tomcat 8.0.5 or later(8.0.4 contains the fix but was not released)CVE-2014-0096 Information DisclosureSeverity: ImportantVendor: The Apache Software FoundationVersions Affected:- Apache Tomcat 8.0.0-RC1 to 8.0.3- Apache Tomcat 7.0.0 to 7.0.52- Apache Tomcat 6.0.0 to 6.0.39Description:The default servlet allows web applications to define (at multiplelevels) an XSLT to be used to format a directory listing. When runningunder a security manager, the processing of these was not subject to thesame constraints as the web application. This enabled a malicious webapplication to bypass the file access constraints imposed by thesecurity manager via the use of external XML entities.Mitigation:Users of affected versions should apply one of the following mitigations- Upgrade to Apache Tomcat 8.0.5 or later(8.0.4 contains the fix but was not released)- Upgrade to Apache Tomcat 7.0.53 or later- Upgrade to Apache Tomcat 6.0.41 or later(6.0.40 contains the fix but was not released)CVE-2014-0097 Information DisclosureSeverity: ImportantVendor: The Apache Software FoundationVersions Affected:- Apache Tomcat 8.0.0-RC1 to 8.0.3- Apache Tomcat 7.0.0 to 7.0.52- Apache Tomcat 6.0.0 to 6.0.39Description:The code used to parse the request content length header did not checkfor overflow in the result. This exposed a request smugglingvulnerability when Tomcat was located behind a reverse proxy thatcorrectly processed the content length header.Mitigation:Users of affected versions should apply one of the following mitigations- Upgrade to Apache Tomcat 8.0.5 or later(8.0.4 contains the fix but was not released)- Upgrade to Apache Tomcat 7.0.53 or later- Upgrade to Apache Tomcat 6.0.41 or later(6.0.40 contains the fix but was not released)CVE-2014-0119 Information DisclosureSeverity: ImportantVendor: The Apache Software FoundationVersions Affected:- Apache Tomcat 8.0.0-RC1 to 8.0.5- Apache Tomcat 7.0.0 to 7.0.53- Apache Tomcat 6.0.0 to 6.0.39Description:In limited circumstances it was possible for a malicious web applicationto replace the XML parsers used by Tomcat to process XSLTs for thedefault servlet, JSP documents, tag library descriptors (TLDs) and tagplugin configuration files. The injected XMl parser(s) could then bypassthe limits imposed on XML external entities and/or have visibility ofthe XML files processed for other web applications deployed on the sameTomcat instance.Mitigation:Users of affected versions should apply one of the following mitigations- Upgrade to Apache Tomcat 8.0.8 or later(8.0.6 and 8.0.7 contain the fix but were not released)- Upgrade to Apache Tomcat 7.0.54 or later- Upgrade to Apache Tomcat 6.0.41 or later(6.0.40 contains the fix but was not released)在 Ubuntu 12.04 LTS 上通过 Tomcat 部署 Solr 4 http://www.linuxidc.com/Linux/2012-09/71158.htmUbuntu下部署Solr(4.4)到Tomcat(7.0.53) http://www.linuxidc.com/Linux/2014-05/101443.htmLinux下Apache与多个Tomcat 集群负载均衡 http://www.linuxidc.com/Linux/2012-01/51731.htmNginx Tomcat 集群负载均衡解决笔记 http://www.linuxidc.com/Linux/2013-07/86827.htm实例详解Tomcat组件安装+Nginx反向代理Tomcat+Apache使用mod_jk和mod_proxy反向代理和负载均衡 http://www.linuxidc.com/Linux/2013-06/85290.htmApache+Tomcat 环境搭建(JK部署过程) http://www.linuxidc.com/Linux/2012-11/74474.htmTomcat 的详细介绍:请点这里 Tomcat 的下载地址:请点这里
易网时代-编程资源站