CVE-2002-2272 in Tomcat
Summary
by MITRE
Tomcat 4.0 through 4.1.12, using mod_jk 1.2.1 module on Apache 1.3 through 1.3.27, allows remote attackers to cause a denial of service (desynchronized communications) via an HTTP GET request with a Transfer-Encoding chunked field with invalid values.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/29/2025
The vulnerability described in CVE-2002-2272 represents a significant denial of service weakness in the Apache Tomcat web server ecosystem, specifically affecting versions 4.0 through 4.1.12 when integrated with the mod_jk 1.2.1 module on Apache 1.3 servers. This flaw exploits a critical communication desynchronization issue that occurs during HTTP request processing, creating a scenario where legitimate service availability is compromised through carefully crafted malicious requests. The vulnerability is particularly concerning as it affects a widely deployed combination of web server and application server components that were prevalent during the early 2000s, making it a substantial risk for organizations operating legacy systems.
The technical implementation of this vulnerability stems from the improper handling of HTTP Transfer-Encoding chunked headers within the mod_jk module integration. When a remote attacker sends an HTTP GET request containing a Transfer-Encoding chunked field with invalid values, the communication protocol becomes desynchronized between the Apache web server and the Tomcat application server. This desynchronization occurs because the mod_jk module fails to properly validate or process malformed chunked encoding data, leading to a breakdown in the expected request-response cycle. The flaw resides in the protocol parsing logic where invalid chunked encoding values are not adequately sanitized or rejected, causing the underlying communication mechanisms to stall or crash.
The operational impact of this vulnerability extends beyond simple service disruption, creating a potential vector for sustained denial of service attacks that can render entire web applications inaccessible to legitimate users. When exploited, the vulnerability causes the affected Tomcat instances to become unresponsive or crash, requiring manual intervention to restore service availability. This type of attack can be particularly damaging in production environments where high availability is critical, as it may require system administrators to restart services, potentially causing extended downtime and service degradation. The vulnerability also demonstrates the complexity of multi-tiered web architectures where communication failures in one component can cascade to affect the entire application stack.
The weakness manifests through the exploitation of CWE-129, which describes improper handling of input validation in the context of HTTP protocol parsing, and aligns with ATT&CK technique T1499.004 for network denial of service attacks. Organizations should implement immediate mitigations including upgrading to patched versions of both Tomcat and mod_jk modules, implementing proper input validation at the web server level, and configuring firewalls to restrict or monitor chunked encoding requests. The vulnerability also highlights the importance of proper protocol handling and input sanitization in middleware components, as it demonstrates how seemingly minor implementation flaws in HTTP parsing can create significant availability risks. Security teams should consider implementing intrusion detection systems to monitor for suspicious Transfer-Encoding patterns and establish robust incident response procedures to address potential exploitation attempts.
This vulnerability serves as a historical example of how protocol-level weaknesses in web server integrations can create severe operational impacts, emphasizing the need for comprehensive security testing of middleware components and the importance of maintaining up-to-date software versions to protect against known exploits.