Vulnerability Description
Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | 5.5.11 |
References
- http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/28878
- http://secunia.com/advisories/28915
- http://secunia.com/advisories/29711
- http://secunia.com/advisories/30676
- http://secunia.com/advisories/32222
- http://secunia.com/advisories/37460
- http://secunia.com/advisories/57126
- http://security.gentoo.org/glsa/glsa-200804-10.xml
- http://securityreason.com/securityalert/3637
- http://support.apple.com/kb/HT3216
- http://tomcat.apache.org/security-5.html
- http://tomcat.apache.org/security-6.html
FAQ
What is CVE-2007-6286?
CVE-2007-6286 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger...
How severe is CVE-2007-6286?
CVE-2007-6286 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2007-6286?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat.