CVE-2012-3544 — tomcat7 - security update

Description

Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data.

How to fix CVE-2012-3544

To remediate CVE-2012-3544, upgrade the affected package to a fixed version below.

Debian/tomcat6—upgrade to 6.0.35-1+squeeze3 or later
Debian/tomcat7—upgrade to 7.0.28-4+deb7u1 or later
Maven/org.apache.tomcat:tomcat—upgrade to 6.0.37 or later

Is CVE-2012-3544 being exploited?

Moderate — EPSS is 38.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 6.0.35-1+squeeze3
from 0, < 7.0.28-4+deb7u1
>= 6.0.0, < 6.0.37

References (25)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-3544
PATCHgithub.com/apache/tomcat
WEBseclists.org/fulldisclosure/2014/Dec/23
WEBlists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E