Apache Tomcat 8.0.x < 8.0.9 Multiple DoS

Medium Nessus Plugin ID 81580


The remote Apache Tomcat server is affected by multiple denial of service vulnerabilities.


According to its self-reported version number, the Apache Tomcat server running on the remote host is 8.0.x prior to version 8.0.9. It is, therefore, affected by the following vulnerabilities :

- A flaw in 'ChunkedInputFilter.java' due to improper handling of attempts to continue reading data after an error has occurred. A remote attacker, using streaming data with malformed chunked transfer coding, can exploit this to conduct HTTP request smuggling or cause a denial of service. (CVE-2014-0227)

- An error exists due to a failure to limit the size of discarded requests. A remote attacker can exploit this to exhaust available memory resources, resulting in a denial of service condition. (CVE-2014-0230)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Upgrade to Apache Tomcat version 8.0.9 or later.

See Also



Plugin Details

Severity: Medium

ID: 81580

File Name: tomcat_8_0_9.nasl

Version: $Revision: 1.11 $

Type: remote

Family: Web Servers

Published: 2015/03/01

Modified: 2018/01/24

Dependencies: 39446

Risk Information

Risk Factor: Medium


Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/06/24

Vulnerability Publication Date: 2015/02/09

Reference Information

CVE: CVE-2014-0227, CVE-2014-0230

BID: 72717, 74475

OSVDB: 118214, 120539