CVE-2007-6286 - RETIRED: Apple Mac OS X 2008-007 Multiple Security Vulnerabilities



Last modification



Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.


Apache Tomcat is prone to a security vulnerability that will compromise data integrity when the native APR connector is used.Successful exploits will allow attackers to trigger handling of a duplicate copy of one of the recent requestsreceived by the vulnerable server.Apache Tomcat 5.5.11 to 5.5.25 and 6.0.0 to 6.0.15 are vulnerable.


Updates are available. Please see the references for more information.


Attackers can use standard tools to exploit this issue.

Risk level (CVSS AV:N/AC:M/Au:N/C:N/I:P/A:N)



Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High


  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Vendor comments

  • Joshua Bressers - Red Hat (2008-04-17)
    Not Vulnerable. Red Hat does not ship a version of Apache Tomcat that enables the native APR connector.

Affected Products

External references