Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Redhat
  • Certificate System
  • Enterprise Linux
  • Jboss Enterprise Web Server
  • Network Satellite
  • Rhel Application Server
  • Rhel Developer Suite

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:4.1.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
Package CPE Advisory Released Date
JBEWS 1.0 for RHEL 4
tomcat5-0:5.5.23-1.patch07.19.ep5.el4 cpe:/a:redhat:jboss_enterprise_web_server:1::el4 RHSA-2009:1454 2009-09-21T00:00:00Z
tomcat6-0:6.0.18-11.3.ep5.el4 cpe:/a:redhat:jboss_enterprise_web_server:1::el4 RHSA-2009:1506 2009-10-14T00:00:00Z
Red Hat Certificate System 7.3
ant-0:1.6.5-1jpp_1rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
avalon-logkit-0:1.2-2jpp_4rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
axis-0:1.2.1-1jpp_3rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
classpathx-jaf-0:1.0-2jpp_6rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
classpathx-mail-0:1.1.1-2jpp_8rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
geronimo-specs-0:1.0-0.M4.1jpp_10rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
jakarta-commons-modeler-0:2.0-3jpp_2rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
log4j-0:1.2.12-1jpp_1rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
mx4j-1:3.0.1-1jpp_4rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
pcsc-lite-0:1.3.3-3.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-ca-0:7.3.0-20.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-java-tools-0:7.3.0-10.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-kra-0:7.3.0-14.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-manage-0:7.3.0-19.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-native-tools-0:7.3.0-6.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-ocsp-0:7.3.0-13.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
rhpki-tks-0:7.3.0-13.el4 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
tomcat5-0:5.5.23-0jpp_4rh.16 cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
xerces-j2-0:2.7.1-1jpp_1rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
xml-commons-0:1.3.02-2jpp_1rh cpe:/a:redhat:certificate_system:7.3 RHSA-2010:0602 2010-08-04T00:00:00Z
Red Hat Developer Suite V.3
tomcat5-0:5.5.23-0jpp_18rh cpe:/a:redhat:rhel_developer_suite:3 RHSA-2009:1563 2009-11-09T00:00:00Z
Red Hat Enterprise Linux 5
tomcat5-0:5.5.23-0jpp.7.el5_3.2 cpe:/o:redhat:enterprise_linux:5 RHSA-2009:1164 2009-07-21T00:00:00Z
Red Hat JBoss Enterprise Web Server 1 for RHEL 5
tomcat5-0:5.5.23-0jpp.9.6.ep5.el5 cpe:/a:redhat:jboss_enterprise_web_server:1::el5 RHSA-2009:1454 2009-09-21T00:00:00Z
tomcat6-0:6.0.18-12.0.ep5.el5 cpe:/a:redhat:jboss_enterprise_web_server:1::el5 RHSA-2009:1506 2009-10-14T00:00:00Z
Red Hat Network Satellite Server v 5.1
tomcat5-0:5.0.30-0jpp_16rh cpe:/a:redhat:network_satellite:5.1::el4 RHSA-2009:1617 2009-11-30T00:00:00Z
Red Hat Network Satellite Server v 5.2
tomcat5-0:5.5.23-0jpp_18rh cpe:/a:redhat:network_satellite:5.2::el4 RHSA-2009:1616 2009-11-30T00:00:00Z
Red Hat Network Satellite Server v 5.3
tomcat5-0:5.5.23-0jpp_18rh cpe:/a:redhat:network_satellite:5.3::el4 RHSA-2009:1616 2009-11-30T00:00:00Z
RHAPS Version 2 for RHEL 4
tomcat5-0:5.5.23-0jpp_4rh.16 cpe:/a:redhat:rhel_application_server:2 RHSA-2009:1562 2009-11-09T00:00:00Z
References
Link Providers
http://jvn.jp/en/jp/JVN87272440/index.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=127420533226623&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=129070310906557&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=133469267822771&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136485229118404&w=2 cve-icon cve-icon
http://secunia.com/advisories/35326 cve-icon cve-icon
http://secunia.com/advisories/35344 cve-icon cve-icon
http://secunia.com/advisories/35685 cve-icon cve-icon
http://secunia.com/advisories/35788 cve-icon cve-icon
http://secunia.com/advisories/37460 cve-icon cve-icon
http://secunia.com/advisories/42368 cve-icon cve-icon
http://securitytracker.com/id?1022331 cve-icon cve-icon
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 cve-icon cve-icon
http://support.apple.com/kb/HT4077 cve-icon cve-icon
http://svn.apache.org/viewvc?rev=742915&view=rev cve-icon cve-icon
http://svn.apache.org/viewvc?rev=781362&view=rev cve-icon cve-icon
http://tomcat.apache.org/security-4.html cve-icon cve-icon
http://tomcat.apache.org/security-5.html cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://www.debian.org/security/2011/dsa-2207 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 cve-icon cve-icon
http://www.securityfocus.com/archive/1/504044/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/archive/1/507985/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/35193 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2009-0016.html cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1496 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1856 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/3316 cve-icon cve-icon
http://www.vupen.com/english/advisories/2010/3056 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/50928 cve-icon cve-icon
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2009-0033 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10231 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19110 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5739 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2009-0033 cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-06-05T15:25:00

Updated: 2024-08-07T04:17:10.437Z

Reserved: 2008-12-15T00:00:00

Link: CVE-2009-0033

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-06-05T16:00:00.187

Modified: 2024-11-21T00:58:54.777

Link: CVE-2009-0033

cve-icon Redhat

Severity : Important

Publid Date: 2009-06-03T00:00:00Z

Links: CVE-2009-0033 - Bugzilla