CVE-2014-0095 : java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before

java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing.

Published 2014-05-31 11:17:13

Updated 2025-04-12 10:46:41

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2014-0095

Apache » Tomcat » Version: 8.0.0 Update RC5
cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.0.0 Update RC1
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.0.0 Update RC2
cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.0.1
cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.0.0 Update Rc10
cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.0.3
cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2014-0095

Top countries where our scanners detected CVE-2014-0095

Top open port discovered on systems with this issue 80

IPs affected by CVE-2014-0095 682

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2014-0095!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2014-0095

EPSS FAQ

13.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 93 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2014-0095

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2014-0095

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-0095

http://tomcat.apache.org/security-8.html

Apache Tomcat® - Apache Tomcat 8 vulnerabilities
Vendor Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1030300

Apache Tomcat AJP Request Processing Flaw Lets Remote Users Deny Service - SecurityTracker
http://secunia.com/advisories/59873

Sign in

CVEs referencing this url
http://www-01.ibm.com/support/docview.wss?uid=swg21681528

IBM Security Bulletin: Apache Tomcat Vulnerabilities in IBM UrbanCode Release (CVE-2014-0075,CVE-2014-0095,CVE-2014-0096,CVE-2014-0099,CVE-2014-0119)

CVEs referencing this url
http://www.securityfocus.com/bid/67673

Apache Tomcat CVE-2014-0095 AJP Request Remote Denial Of Service Vulnerability
http://svn.apache.org/viewvc?view=revision&revision=1578392

[Apache-SVN] Revision 1578392
Patch
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Oracle Critical Patch Update - October 2014

CVEs referencing this url
http://www-01.ibm.com/support/docview.wss?uid=swg21678231

IBM Security Bulletin: Rational Lifecycle Adapter for HP ALM Apache Tomcat fix (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590, CVE-2014-0075, CVE-2014-0095, CVE-2014-0096, CVE-2014-0099,

CVEs referencing this url
http://secunia.com/advisories/60729

Sign in

CVEs referencing this url
http://seclists.org/fulldisclosure/2014/May/134

Full Disclosure: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service