CVE-2011-0534
First published: Thu Feb 10 2011(Updated: )
Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =7.0.0 | |
| Apache Tomcat | =7.0.1 | |
| Apache Tomcat | =7.0.2 | |
| Apache Tomcat | =7.0.3 | |
| Apache Tomcat | =7.0.4 | |
| Apache Tomcat | =7.0.5 | |
| Apache Tomcat | =7.0.6 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =6.0.8 | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =6.0.14 | |
| Apache Tomcat | =6.0.15 | |
| Apache Tomcat | =6.0.16 | |
| Apache Tomcat | =6.0.17 | |
| Apache Tomcat | =6.0.18 | |
| Apache Tomcat | =6.0.19 | |
| Apache Tomcat | =6.0.20 | |
| Apache Tomcat | =6.0.24 | |
| Apache Tomcat | =6.0.26 | |
| Apache Tomcat | =6.0.27 | |
| Apache Tomcat | =6.0.28 | |
| Apache Tomcat | =6.0.29 | |
| Apache Tomcat | =6.0.30 | |
| maven/org.apache.tomcat:tomcat | >=7.0.0<=7.0.6 | 7.0.8 |
| maven/org.apache.tomcat:tomcat | >=6.0.0<=6.0.30 | 6.0.32 |
| =7.0.0 | ||
| =7.0.1 | ||
| =7.0.2 | ||
| =7.0.3 | ||
| =7.0.4 | ||
| =7.0.5 | ||
| =7.0.6 | ||
| =6.0.0 | ||
| =6.0.1 | ||
| =6.0.2 | ||
| =6.0.3 | ||
| =6.0.4 | ||
| =6.0.5 | ||
| =6.0.6 | ||
| =6.0.7 | ||
| =6.0.8 | ||
| =6.0.9 | ||
| =6.0.10 | ||
| =6.0.11 | ||
| =6.0.12 | ||
| =6.0.13 | ||
| =6.0.14 | ||
| =6.0.15 | ||
| =6.0.16 | ||
| =6.0.17 | ||
| =6.0.18 | ||
| =6.0.19 | ||
| =6.0.20 | ||
| =6.0.24 | ||
| =6.0.26 | ||
| =6.0.27 | ||
| =6.0.28 | ||
| =6.0.29 | ||
| =6.0.30 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://osvdb.org/70809
- http://secunia.com/advisories/43192
- http://secunia.com/advisories/45022
- http://secunia.com/advisories/57126
- http://securityreason.com/securityalert/8074
- http://support.apple.com/kb/HT5002
- http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
- http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_(released_5_Feb_2011)
- http://www.debian.org/security/2011/dsa-2160
- http://www.securityfocus.com/archive/1/516214/100/0/threaded
- http://www.securityfocus.com/bid/46164
- http://www.securitytracker.com/id?1025027
- http://www.vupen.com/english/advisories/2011/0293
- https://exchange.xforce.ibmcloud.com/vulnerabilities/65162
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_%28released_5_Feb_2011%29
- https://nvd.nist.gov/vuln/detail/CVE-2011-0534
- https://github.com/apache/tomcat/commit/008447095ce8c3a8f713093d5e618f3f06f94ea8
- https://support.apple.com/kb/HT5002
- https://web.archive.org/web/20110801035315/http://secunia.com/advisories/45022
- https://web.archive.org/web/20120120085637/http://securityreason.com/securityalert/8074
- https://web.archive.org/web/20121024140440/http://secunia.com/advisories/43192
- https://web.archive.org/web/20121212040149/http://www.securitytracker.com/id?1025027
- https://web.archive.org/web/20131227020011/http://www.securityfocus.com/bid/46164
- https://web.archive.org/web/20151017023138/http://secunia.com/advisories/57126
- https://web.archive.org/web/20200517155748/http://www.securityfocus.com/archive/1/516214/100/0/threaded
- https://github.com/advisories/GHSA-43v2-6grp-9pp9 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-0534?
CVE-2011-0534 is considered to have a high severity due to the potential for denial of service attacks resulting in an OutOfMemoryError.
How do I fix CVE-2011-0534?
To fix CVE-2011-0534, upgrade to Apache Tomcat version 7.0.8 or later for Tomcat 7, or version 6.0.32 or later for Tomcat 6.
What versions of Apache Tomcat are affected by CVE-2011-0534?
CVE-2011-0534 affects Apache Tomcat versions 7.0.0 to 7.0.6 and 6.0.0 to 6.0.30.
What kind of attacks can exploit CVE-2011-0534?
CVE-2011-0534 can be exploited by remote attackers sending crafted HTTP requests, leading to a denial of service.
Is CVE-2011-0534 a local or remote vulnerability?
CVE-2011-0534 is a remote vulnerability, allowing attackers to exploit it without local access.
- collector/nvd-index
- collector/nvd-historical
- collector/nvd-api
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-43v2-6grp-9pp9
- alias/CVE-2011-0534
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/author
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.1
- version/apache tomcat/7.0.2
- version/apache tomcat/7.0.3
- version/apache tomcat/7.0.4
- version/apache tomcat/7.0.5
- version/apache tomcat/7.0.6
- version/apache tomcat/6.0.0
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.3
- version/apache tomcat/6.0.4
- version/apache tomcat/6.0.5
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.7
- version/apache tomcat/6.0.8
- version/apache tomcat/6.0.9
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.11
- version/apache tomcat/6.0.12
- version/apache tomcat/6.0.13
- version/apache tomcat/6.0.14
- version/apache tomcat/6.0.15
- version/apache tomcat/6.0.16
- version/apache tomcat/6.0.17
- version/apache tomcat/6.0.18
- version/apache tomcat/6.0.19
- version/apache tomcat/6.0.20
- version/apache tomcat/6.0.24
- version/apache tomcat/6.0.26
- version/apache tomcat/6.0.27
- version/apache tomcat/6.0.28
- version/apache tomcat/6.0.29
- version/apache tomcat/6.0.30
- package-manager/maven