CVE-2011-0534 | Vulnerability Database | Aqua Security

Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	7.0.0 (including)	7.0.0 (including)
Tomcat	Apache	7.0.1 (including)	7.0.1 (including)
Tomcat	Apache	7.0.2 (including)	7.0.2 (including)
Tomcat	Apache	7.0.3 (including)	7.0.3 (including)
Tomcat	Apache	7.0.4 (including)	7.0.4 (including)
Tomcat	Apache	7.0.5 (including)	7.0.5 (including)
Tomcat	Apache	7.0.6 (including)	7.0.6 (including)

References

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
http://marc.info/?l=bugtraq\u0026m=139344343412337\u0026w=2
http://osvdb.org/70809
http://secunia.com/advisories/43192
http://secunia.com/advisories/45022
http://secunia.com/advisories/57126
http://securityreason.com/securityalert/8074
http://support.apple.com/kb/HT5002
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.32
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.8_%28released_5_Feb_2011%29
http://www.debian.org/security/2011/dsa-2160
http://www.securityfocus.com/archive/1/516214/100/0/threaded
http://www.securityfocus.com/bid/46164
http://www.securitytracker.com/id?1025027
http://www.vupen.com/english/advisories/2011/0293
https://exchange.xforce.ibmcloud.com/vulnerabilities/65162

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-0534
CWE	https://cwe.mitre.org/data/definitions/399.html