Vulnerability Details : CVE-2014-0230
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Vulnerability category: Denial of service
Products affected by CVE-2014-0230
- cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:virtualization:4.63:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:virtualization:4.71:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:virtualization:5.1:*:*:*:*:*:*:*
Threat overview for CVE-2014-0230
Top countries where our scanners detected CVE-2014-0230
Top open port discovered on systems with this issue
80
IPs affected by CVE-2014-0230 56,171
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-0230!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-0230
7.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-0230
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST |
CWE ids for CVE-2014-0230
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0230
-
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail
-
https://access.redhat.com/errata/RHSA-2015:2660
RHSA-2015:2660 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
Pony Mail!
-
http://tomcat.apache.org/security-8.html
Apache Tomcat® - Apache Tomcat 8 vulnerabilitiesPatch;Vendor Advisory
-
http://svn.apache.org/viewvc?view=revision&revision=1603775
[Apache-SVN] Revision 1603775
-
http://www.securityfocus.com/bid/74475
Apache Tomcat CVE-2014-0230 Denial of Service Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2016-0596.html
RHSA-2016:0596 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ - Pony Mail
-
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
https://access.redhat.com/errata/RHSA-2015:2659
RHSA-2015:2659 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
Oracle Solaris Third Party Bulletin - October 2015
-
http://svn.apache.org/viewvc?view=revision&revision=1603779
[Apache-SVN] Revision 1603779
-
http://tomcat.apache.org/security-6.html
Apache Tomcat® - Apache Tomcat 6 vulnerabilitiesPatch;Vendor Advisory
-
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
Pony Mail!
-
http://www.debian.org/security/2016/dsa-3447
Debian -- Security Information -- DSA-3447-1 tomcat7
-
http://tomcat.apache.org/security-7.html
Apache Tomcat® - Apache Tomcat 7 vulnerabilitiesPatch;Vendor Advisory
-
https://issues.jboss.org/browse/JWS-220
[JWS-220] CVE-2014-0230 tomcat7: non-persistent DoS attack by feeding data by aborting an upload - JBoss Issue Tracker
-
http://rhn.redhat.com/errata/RHSA-2016-0599.html
Red Hat Customer Portal
-
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
http://rhn.redhat.com/errata/RHSA-2016-0598.html
RHSA-2016:0598 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
HPSBOV03503 rev.3 - HP OpenVMS CSWS_JAVA running Tomcat, Multiple Remote Vulnerabilities
-
http://svn.apache.org/viewvc?view=revision&revision=1603770
[Apache-SVN] Revision 1603770
-
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ - Pony Mail
-
http://rhn.redhat.com/errata/RHSA-2016-0595.html
RHSA-2016:0595 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2655-1
USN-2655-1: Tomcat vulnerabilities | Ubuntu security notices
-
https://issues.jboss.org/browse/JWS-219
[JWS-219] CVE-2014-0230 tomcat8: non-persistent DoS attack by feeding data by aborting an upload - JBoss Issue Tracker
-
http://rhn.redhat.com/errata/RHSA-2015-1622.html
RHSA-2015:1622 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2016/dsa-3530
Debian -- Security Information -- DSA-3530-1 tomcat6
-
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
Apache Mail Archives
-
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
Oracle Critical Patch Update - July 2015
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
Sorry
-
http://www.ubuntu.com/usn/USN-2654-1
USN-2654-1: Tomcat vulnerabilities | Ubuntu security notices
-
http://rhn.redhat.com/errata/RHSA-2015-2661.html
Red Hat Customer Portal
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018
-
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail
-
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/ - Pony Mail
-
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201505.mbox/%3C554949D1.8030904%40apache.org%3E
[SECURITY] CVE-2014-0230: Apache Tomcat DoSVendor Advisory
-
http://openwall.com/lists/oss-security/2015/04/10/1
oss-security - Apache Tomcat partial file upload DoS CVE-2014-0230
-
http://marc.info/?l=bugtraq&m=144498216801440&w=2
'[security bulletin] HPSBOV03503 rev.1 - HP OpenVMS CSWS_JAVA running Tomcat, Multiple Remote Vulnera' - MARC
-
http://rhn.redhat.com/errata/RHSA-2015-1621.html
Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2016-0597.html
RHSA-2016:0597 - Security Advisory - Red Hat Customer Portal
-
http://marc.info/?l=bugtraq&m=145974991225029&w=2
'[security bulletin] HPSBUX03561 rev.1 - HPE HP-UX using Apache Tomcat, Remote Access Restriction Byp' - MARC
Jump to