Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] jvm/tomcat security issue

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] jvm/tomcat security issue

Chronological Thread 
  • From: Andrew Petro <>
  • To:
  • Subject: Re: [grouper-users] jvm/tomcat security issue
  • Date: Thu, 24 Feb 2011 15:04:31 -0500

> has anyone been able to reproduce this against a Java webapp?

Yes. I'll share on-list that I've personally demonstrated this vulnerability working against Jasig CAS, which in part led to this announcement:

As far as I could tell, only paths that cause the web application to attempt to getLocale() trigger Tomcat parsing enough of the afflicted header to actuate the vulnerability. Some web applications don't exercise this code path and so may not be vulnerable. CAS is vulnerable because it uses a framework that exercises that code path on its behalf in setting up handling the request. However, any reasonable framework will likely exercise the affected code path in its efforts to set up proper localization.

I haven't tried it against any Grouper.

Ping me off-list and I'll be happy to share more details, the automated script that demonstrated the vulnerability...


On 02/24/2011 02:44 PM, Chris Hyzer wrote:
Just curious, has anyone been able to reproduce this against a Java webapp?
I can reproduce in a command line java program. In a webapp, I am trying
with Firefox and the tamper data plugin, and I cant get anything to lock up.
Im sure if I changed the server side code I could get it to work, but if
anyone can make Grouper (UI or WS) freeze up, I would be interested. Feel
free to contact me off list if people don't want to discuss this publicly.


-----Original Message-----

On Behalf Of Tom Barton
Sent: Monday, February 21, 2011 9:44 AM

Subject: [grouper-users] jvm/tomcat security issue

Many grouper installations rely on tomcat, and many tomcat installations
rely on Oracle's JVM (formerly Sun's java). Many versions of the JVM
have a "complete DoS" vulnerability, meaning a remote attacker can keep
it down all the time.

Just thought you'd want to know, if you haven't heard already by some
other means. Best to patch or upgrade.


Archive powered by MHonArc 2.6.16.

Top of Page