CVE-2014-0227

Impact:
Moderate
Public Date:
2015-02-09
IAVA:
2016-A-0226
CWE:
CWE-400
Bugzilla:
1109196: CVE-2014-0227 Tomcat/JBossWeb: request smuggling and limited DoS in ChunkedInputFilter
It was discovered that the ChunkedInputFilter in Tomcat did not fail subsequent attempts to read input after malformed chunked encoding was detected. A remote attacker could possibly use this flaw to make Tomcat process part of the request body as new request, or cause a denial of service.

Find out more about CVE-2014-0227 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:1021 2014-08-06
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) RHSA-2014:1019 2014-08-06
Red Hat Enterprise Linux 6 (tomcat6) RHSA-2015:0991 2015-05-12
Red Hat JBoss Operations Network 3.3 RHSA-2014:1904 2014-11-25
Red Hat Enterprise Linux 7 (tomcat) RHSA-2015:0983 2015-05-12
Red Hat JBoss Data Grid 6.4 RHSA-2015:0091 2015-01-27
Red Hat JBoss Web Server 2.1 RHSA-2014:1086 2014-08-21
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server RHSA-2014:1088 2014-08-21
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server RHSA-2014:1087 2014-08-21
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) RHSA-2014:1020 2014-08-06
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17

Affected Packages State

Platform Package State
Red Hat JBoss EWS 1 tomcat6 Will not fix
Red Hat JBoss EWS 1 tomcat5 Will not fix
Red Hat JBoss EAP 5 jbossweb Will not fix
Red Hat Enterprise Linux 5 tomcat5 Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified