CVE-2014-0227: Input Validation
First published: Fri Jun 13 2014(Updated: )
`java/org/apache/coyote/http11/filters/ChunkedInputFilter.java` in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/JBossWeb | <7.4.6. | 7.4.6. |
| redhat/Tomcat | <7.0.55 | 7.0.55 |
| redhat/Tomcat | <6.0.43 | 6.0.43 |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =6.0.0-alpha | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.1-alpha | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.2-alpha | |
| Apache Tomcat | =6.0.2-beta | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =6.0.4-alpha | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =6.0.6-alpha | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =6.0.7-alpha | |
| Apache Tomcat | =6.0.7-beta | |
| Apache Tomcat | =6.0.8 | |
| Apache Tomcat | =6.0.8-alpha | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =6.0.9-beta | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.11 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =6.0.14 | |
| Apache Tomcat | =6.0.15 | |
| Apache Tomcat | =6.0.16 | |
| Apache Tomcat | =6.0.17 | |
| Apache Tomcat | =6.0.18 | |
| Apache Tomcat | =6.0.19 | |
| Apache Tomcat | =6.0.20 | |
| Apache Tomcat | =6.0.24 | |
| Apache Tomcat | =6.0.26 | |
| Apache Tomcat | =6.0.27 | |
| Apache Tomcat | =6.0.28 | |
| Apache Tomcat | =6.0.29 | |
| Apache Tomcat | =6.0.30 | |
| Apache Tomcat | =6.0.31 | |
| Apache Tomcat | =6.0.32 | |
| Apache Tomcat | =6.0.33 | |
| Apache Tomcat | =6.0.35 | |
| Apache Tomcat | =6.0.36 | |
| Apache Tomcat | =6.0.37 | |
| Apache Tomcat | =6.0.39 | |
| Apache Tomcat | =6.0.41 | |
| Apache Tomcat | =7.0.0 | |
| Apache Tomcat | =7.0.0-beta | |
| Apache Tomcat | =7.0.1 | |
| Apache Tomcat | =7.0.2 | |
| Apache Tomcat | =7.0.2-beta | |
| Apache Tomcat | =7.0.3 | |
| Apache Tomcat | =7.0.4 | |
| Apache Tomcat | =7.0.4-beta | |
| Apache Tomcat | =7.0.5 | |
| Apache Tomcat | =7.0.6 | |
| Apache Tomcat | =7.0.7 | |
| Apache Tomcat | =7.0.8 | |
| Apache Tomcat | =7.0.9 | |
| Apache Tomcat | =7.0.10 | |
| Apache Tomcat | =7.0.11 | |
| Apache Tomcat | =7.0.12 | |
| Apache Tomcat | =7.0.13 | |
| Apache Tomcat | =7.0.14 | |
| Apache Tomcat | =7.0.15 | |
| Apache Tomcat | =7.0.16 | |
| Apache Tomcat | =7.0.17 | |
| Apache Tomcat | =7.0.18 | |
| Apache Tomcat | =7.0.19 | |
| Apache Tomcat | =7.0.20 | |
| Apache Tomcat | =7.0.21 | |
| Apache Tomcat | =7.0.22 | |
| Apache Tomcat | =7.0.23 | |
| Apache Tomcat | =7.0.24 | |
| Apache Tomcat | =7.0.25 | |
| Apache Tomcat | =7.0.26 | |
| Apache Tomcat | =7.0.27 | |
| Apache Tomcat | =7.0.28 | |
| Apache Tomcat | =7.0.29 | |
| Apache Tomcat | =7.0.30 | |
| Apache Tomcat | =7.0.31 | |
| Apache Tomcat | =7.0.32 | |
| Apache Tomcat | =7.0.33 | |
| Apache Tomcat | =7.0.34 | |
| Apache Tomcat | =7.0.35 | |
| Apache Tomcat | =7.0.36 | |
| Apache Tomcat | =7.0.37 | |
| Apache Tomcat | =7.0.38 | |
| Apache Tomcat | =7.0.39 | |
| Apache Tomcat | =7.0.40 | |
| Apache Tomcat | =7.0.41 | |
| Apache Tomcat | =7.0.42 | |
| Apache Tomcat | =7.0.43 | |
| Apache Tomcat | =7.0.44 | |
| Apache Tomcat | =7.0.45 | |
| Apache Tomcat | =7.0.46 | |
| Apache Tomcat | =7.0.47 | |
| Apache Tomcat | =7.0.48 | |
| Apache Tomcat | =7.0.49 | |
| Apache Tomcat | =7.0.50 | |
| Apache Tomcat | =7.0.52 | |
| Apache Tomcat | =7.0.53 | |
| Apache Tomcat | =7.0.54 | |
| Apache Tomcat | =8.0.0-rc1 | |
| Apache Tomcat | =8.0.0-rc10 | |
| Apache Tomcat | =8.0.0-rc2 | |
| Apache Tomcat | =8.0.0-rc5 | |
| Apache Tomcat | =8.0.1 | |
| Apache Tomcat | =8.0.3 | |
| Apache Tomcat | =8.0.5 | |
| Apache Tomcat | =8.0.8 | |
| maven/org.apache.tomcat:tomcat | >=8.0.0<8.0.9 | 8.0.9 |
| maven/org.apache.tomcat:tomcat | >=7.0.0<7.0.55 | 7.0.55 |
| maven/org.apache.tomcat:tomcat | >=6.0.0<6.0.42 | 6.0.42 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://svn.apache.org/viewvc?view=revision&revision=1600984
- https://source.jboss.org/changelog/JBossWeb?cs=2455
- https://svn.apache.org/viewvc?view=revision&revision=1603628
- https://svn.apache.org/viewvc?view=revision&revision=1601333
- https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.43
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.55
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1190821
- https://rhn.redhat.com/errata/RHSA-2015-0235.html
- https://rhn.redhat.com/errata/RHSA-2015-0234.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1109196#c18
- https://rhn.redhat.com/errata/RHSA-2015-0675.html
- https://rhn.redhat.com/errata/RHSA-2015-0720.html
- https://rhn.redhat.com/errata/RHSA-2015-0765.html
- https://rhn.redhat.com/errata/RHSA-2015-0983.html
- https://rhn.redhat.com/errata/RHSA-2015-0991.html
- https://rhn.redhat.com/errata/RHSA-2015-1009.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1109196
- http://advisories.mageia.org/MGASA-2015-0081.html
- http://archives.neohapsis.com/archives/bugtraq/2015-02/0067.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
- http://marc.info/?l=bugtraq&m=143393515412274&w=2
- http://marc.info/?l=bugtraq&m=143403519711434&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://rhn.redhat.com/errata/RHSA-2015-0983.html
- http://rhn.redhat.com/errata/RHSA-2015-0991.html
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://www.debian.org/security/2016/dsa-3447
- http://www.debian.org/security/2016/dsa-3530
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/72717
- http://www.securitytracker.com/id/1032791
- http://www.ubuntu.com/usn/USN-2654-1
- http://www.ubuntu.com/usn/USN-2655-1
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2014-0227
- https://github.com/apache/tomcat/commit/593a2447e6ebe465585cfa07e93b5635dffa1c70
- https://github.com/advisories/GHSA-42j3-498q-m6vp (Advisory)
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-42j3-498q-m6vp
- alias/CVE-2014-0227
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/6.0.0
- version/apache tomcat/6.0.0-alpha
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.1-alpha
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.2-alpha
- version/apache tomcat/6.0.2-beta
- version/apache tomcat/6.0.3
- version/apache tomcat/6.0.4
- version/apache tomcat/6.0.4-alpha
- version/apache tomcat/6.0.5
- version/apache tomcat/6.0.6
- version/apache tomcat/6.0.6-alpha
- version/apache tomcat/6.0.7
- version/apache tomcat/6.0.7-alpha
- version/apache tomcat/6.0.7-beta
- version/apache tomcat/6.0.8
- version/apache tomcat/6.0.8-alpha
- version/apache tomcat/6.0.9
- version/apache tomcat/6.0.9-beta
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.11
- version/apache tomcat/6.0.12
- version/apache tomcat/6.0.13
- version/apache tomcat/6.0.14
- version/apache tomcat/6.0.15
- version/apache tomcat/6.0.16
- version/apache tomcat/6.0.17
- version/apache tomcat/6.0.18
- version/apache tomcat/6.0.19
- version/apache tomcat/6.0.20
- version/apache tomcat/6.0.24
- version/apache tomcat/6.0.26
- version/apache tomcat/6.0.27
- version/apache tomcat/6.0.28
- version/apache tomcat/6.0.29
- version/apache tomcat/6.0.30
- version/apache tomcat/6.0.31
- version/apache tomcat/6.0.32
- version/apache tomcat/6.0.33
- version/apache tomcat/6.0.35
- version/apache tomcat/6.0.36
- version/apache tomcat/6.0.37
- version/apache tomcat/6.0.39
- version/apache tomcat/6.0.41
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.0-beta
- version/apache tomcat/7.0.1
- version/apache tomcat/7.0.2
- version/apache tomcat/7.0.2-beta
- version/apache tomcat/7.0.3
- version/apache tomcat/7.0.4
- version/apache tomcat/7.0.4-beta
- version/apache tomcat/7.0.5
- version/apache tomcat/7.0.6
- version/apache tomcat/7.0.7
- version/apache tomcat/7.0.8
- version/apache tomcat/7.0.9
- version/apache tomcat/7.0.10
- version/apache tomcat/7.0.11
- version/apache tomcat/7.0.12
- version/apache tomcat/7.0.13
- version/apache tomcat/7.0.14
- version/apache tomcat/7.0.15
- version/apache tomcat/7.0.16
- version/apache tomcat/7.0.17
- version/apache tomcat/7.0.18
- version/apache tomcat/7.0.19
- version/apache tomcat/7.0.20
- version/apache tomcat/7.0.21
- version/apache tomcat/7.0.22
- version/apache tomcat/7.0.23
- version/apache tomcat/7.0.24
- version/apache tomcat/7.0.25
- version/apache tomcat/7.0.26
- version/apache tomcat/7.0.27
- version/apache tomcat/7.0.28
- version/apache tomcat/7.0.29
- version/apache tomcat/7.0.30
- version/apache tomcat/7.0.31
- version/apache tomcat/7.0.32
- version/apache tomcat/7.0.33
- version/apache tomcat/7.0.34
- version/apache tomcat/7.0.35
- version/apache tomcat/7.0.36
- version/apache tomcat/7.0.37
- version/apache tomcat/7.0.38
- version/apache tomcat/7.0.39
- version/apache tomcat/7.0.40
- version/apache tomcat/7.0.41
- version/apache tomcat/7.0.42
- version/apache tomcat/7.0.43
- version/apache tomcat/7.0.44
- version/apache tomcat/7.0.45
- version/apache tomcat/7.0.46
- version/apache tomcat/7.0.47
- version/apache tomcat/7.0.48
- version/apache tomcat/7.0.49
- version/apache tomcat/7.0.50
- version/apache tomcat/7.0.52
- version/apache tomcat/7.0.53
- version/apache tomcat/7.0.54
- version/apache tomcat/8.0.0-rc1
- version/apache tomcat/8.0.0-rc10
- version/apache tomcat/8.0.0-rc2
- version/apache tomcat/8.0.0-rc5
- version/apache tomcat/8.0.1
- version/apache tomcat/8.0.3
- version/apache tomcat/8.0.5
- version/apache tomcat/8.0.8
- package-manager/maven
- package-manager/redhat