Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Redhat
  • Enterprise Linux
  • Jboss Communications Platform
  • Jboss Enterprise Application Platform
  • Jboss Enterprise Brms Platform
  • Jboss Enterprise Portal Platform
  • Jboss Enterprise Web Platform
  • Jboss Enterprise Web Server
  • Jboss Operations Network
  • Jboss Soa Platform

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.34:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
Package CPE Advisory Released Date
JBEWP 5 for RHEL 5
jbossweb-0:2.1.12-3_patch_03.2.ep5.el5 cpe:/a:redhat:jboss_enterprise_web_platform:5::el5 RHSA-2012:0076 2012-01-31T00:00:00Z
JBEWP 5 for RHEL 6
jbossweb-0:2.1.12-3_patch_03.2.ep5.el6 cpe:/a:redhat:jboss_enterprise_web_platform:5::el6 RHSA-2012:0076 2012-01-31T00:00:00Z
JBoss Communications Platform 5.1
cpe:/a:redhat:jboss_communications_platform:5.1 RHSA-2012:0078 2012-01-31T00:00:00Z
JBoss Enterprise BRMS Platform 5.1
cpe:/a:redhat:jboss_enterprise_brms_platform:5.1 RHSA-2012:0325 2012-02-22T00:00:00Z
Red Hat Enterprise Linux 5
tomcat5-0:5.5.23-0jpp.31.el5_8 cpe:/o:redhat:enterprise_linux:5 RHSA-2012:0474 2012-04-11T00:00:00Z
Red Hat Enterprise Linux 6
tomcat6-0:6.0.24-36.el6_2 cpe:/o:redhat:enterprise_linux:6 RHSA-2012:0475 2012-04-11T00:00:00Z
Red Hat JBoss Enterprise Application Platform 5.1
cpe:/a:redhat:jboss_enterprise_application_platform:5.1 RHSA-2012:0075 2012-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4
jbossweb-0:2.1.12-3_patch_03.2.ep5.el4 cpe:/a:redhat:jboss_enterprise_application_platform:5::el4 RHSA-2012:0074 2012-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5
jbossweb-0:2.1.12-3_patch_03.2.ep5.el5 cpe:/a:redhat:jboss_enterprise_application_platform:5::el5 RHSA-2012:0074 2012-01-31T00:00:00Z
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6
jbossweb-0:2.1.12-3_patch_03.2.ep5.el6 cpe:/a:redhat:jboss_enterprise_application_platform:5::el6 RHSA-2012:0074 2012-01-31T00:00:00Z
Red Hat JBoss Enterprise Web Server 1 for RHEL 5
tomcat5-0:5.5.33-27_patch_07.ep5.el5 cpe:/a:redhat:jboss_enterprise_web_server:1::el5 RHSA-2012:0680 2012-05-21T00:00:00Z
tomcat6-0:6.0.32-24_patch_07.ep5.el5 cpe:/a:redhat:jboss_enterprise_web_server:1::el5 RHSA-2012:0682 2012-05-21T00:00:00Z
Red Hat JBoss Enterprise Web Server 1 for RHEL 6
tomcat5-0:5.5.33-28_patch_07.ep5.el6 cpe:/a:redhat:jboss_enterprise_web_server:1::el6 RHSA-2012:0680 2012-05-21T00:00:00Z
tomcat6-0:6.0.32-24_patch_07.ep5.el6 cpe:/a:redhat:jboss_enterprise_web_server:1::el6 RHSA-2012:0682 2012-05-21T00:00:00Z
Red Hat JBoss Operations Network 3.1
cpe:/a:redhat:jboss_operations_network:3.1 RHSA-2012:1331 2012-10-03T00:00:00Z
Red Hat JBoss Portal 4.3
cpe:/a:redhat:jboss_enterprise_portal_platform:4.3 RHSA-2012:0345 2012-03-01T00:00:00Z
Red Hat JBoss Portal 5.2
cpe:/a:redhat:jboss_enterprise_portal_platform:5.2 RHSA-2012:0325 2012-02-22T00:00:00Z
Red Hat JBoss SOA Platform 5.2
cpe:/a:redhat:jboss_soa_platform:5.2 RHSA-2012:0325 2012-02-22T00:00:00Z
Red Hat JBoss Web Platform 5.1
cpe:/a:redhat:jboss_enterprise_web_platform:5.1 RHSA-2012:0077 2012-01-31T00:00:00Z
Red Hat JBoss Web Server 1.0
cpe:/a:redhat:jboss_enterprise_web_server:1.0 RHSA-2012:0679 2012-05-21T00:00:00Z
cpe:/a:redhat:jboss_enterprise_web_server:1.0 RHSA-2012:0681 2012-05-21T00:00:00Z
References
Link Providers
http://archives.neohapsis.com/archives/bugtraq/2012-01/0112.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=132871655717248&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=133294394108746&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136485229118404&w=2 cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0074.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0075.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0076.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0077.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0078.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0325.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0345.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-1331.html cve-icon cve-icon
http://secunia.com/advisories/48213 cve-icon cve-icon
http://secunia.com/advisories/48549 cve-icon cve-icon
http://secunia.com/advisories/48790 cve-icon cve-icon
http://secunia.com/advisories/48791 cve-icon cve-icon
http://secunia.com/advisories/50863 cve-icon cve-icon
http://tomcat.apache.org/security-5.html cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://tomcat.apache.org/security-7.html cve-icon cve-icon
http://www.debian.org/security/2012/dsa-2401 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2012:085 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html cve-icon cve-icon
http://www.securityfocus.com/bid/51447 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/72425 cve-icon cve-icon
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-0022 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16925 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18934 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-0022 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-01-19T02:00:00

Updated: 2024-08-06T18:09:17.249Z

Reserved: 2011-12-07T00:00:00

Link: CVE-2012-0022

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2012-01-19T04:01:16.990

Modified: 2023-11-07T02:09:51.950

Link: CVE-2012-0022

cve-icon Redhat

Severity : Moderate

Publid Date: 2012-01-17T00:00:00Z

Links: CVE-2012-0022 - Bugzilla