Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Apache Tomcat JK Web Server Connector Long URL Stack Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2008-136
Date Published:
Severity:
Last Updated:
Source: Secunia Advisory: SA24398
Industry Reference(s): CVE-2007-0774
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Connectra
  • NGX R62
  • NGX R61
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Apache Software Foundation Tomcat JK Web Server Connector 1.2.19
Apache Software Foundation Tomcat JK Web Server Connector 1.2.20
Vulnerability Description
A stack overflow vulnerability was reported in Apache Tomcat JK Web Server Connector. Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages technologies. A remote attacker may exploit this issue to execute arbitrary code on an affected system.
Update/Patch Available
Update to version 1.2.21:
Apache Tomcat
Vulnerability Details
The vulnerability is due to a boundary error in the Apache Tomcat URL handler that fails to properly process malformed HTTP requests. A remote attacker may trigger this issue by specially crafting an HTTP request with an overly long URL and sending it to an affected server. Successful exploitation of this vulnerability may allow the attacker to execute arbitrary code on the target system.

Protection Overview
By enabling this protection, SmartDefense will detect and block HTTP queries with overly long URLs. No update is required to address this vulnerability except for IPS-1.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4096.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.
3. The header length value should be less than 4096.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max URL Length box.
3. The URL length value should be less than 4096.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4096.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max URL Length box.
3. The URL length value should be less than 4096.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
3. In the configuration pane, under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4096.
5. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Security > Web Intelligence.
2. In the HTTP Protocol Inspection pane click the HTTP Format protection.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Apache Attacks protection group.
3. Click CVE-2007-0774 Long HTTP URI (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: www2_apache
Description: cve_2007_0774_alert