Apache Tomcat Users Advised to Update to Avoid Hash DOS Attacks

The Apache Software developers released an advisory, recommending customers to update their Apache Tomcat software to protect themselves against potential hash denial of service (DOS) attacks.

“Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values,” reads the advisory.

“These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service.”

In the latest releases, the issue was addressed by changing the parameter handling code to process large number of parameters and their values more efficiently.

Users who rely on Tomcat versions between 7.0.0 and 7.0.22, the ones that utilize Tomcat 6.0.33 and earlier variants, and customers of Tomcat 5.5.34 and prior are advised to immediately update to the latest versions that mitigate the threat.

We'll take this opportunity to remind everyone that starting with September 30, 2012, the company will no longer offer support for Apache Tomcat 5.5.x.

This implies that after the aforementioned date, releases from this branch are highly unlikely to be launched and bugs that affect only these variants are no longer addressed.

Also, vulnerability reports that may affect a system’s security will no longer be checked to see if they affect the 5.5.x version.

Furthermore, from the first day of 2013 the download pages for these products will be removed and even the latest release will be removed from the mirror system.

The documentation for the Tomcat 5.5.x will no longer exist on tomcat.apache.org and the bugzilla project for it will become read-only.

The final release will be made sometime after September 30.

This is highly important for clients who rely on this variant, to give them the necessary time to take the appropriate measures.

Apache Tomcat 7.0.23 / 6.0.35 / 5.5.35 is available for download here.