CVE-2006-5989 in Jakarta Tomcatinfo

Summary

by MITRE

Off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows remote attackers to cause a denial of service (crash) via a crafted Kerberos message that triggers a heap-based buffer overflow in the component array.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/28/2026

The vulnerability identified as CVE-2006-5989 represents a critical software flaw in the mod_auth_kerb module version 5.0, which serves as an Apache HTTP Server module for Kerberos authentication. This issue manifests as an off-by-one error within the der_get_oid function, a component responsible for parsing ASN.1 encoded Object Identifier (OID) values from Kerberos messages. The flaw occurs during the processing of Kerberos authentication requests where the module fails to properly validate array boundaries when handling decoded OID data, creating a condition that can be exploited by remote attackers to execute malicious code.

The technical implementation of this vulnerability stems from improper boundary checking in the der_get_oid function where the component array receives a crafted input that exceeds the allocated buffer size by exactly one byte. This off-by-one condition creates a heap-based buffer overflow scenario that can be triggered when a remote attacker sends a specially constructed Kerberos message containing malformed OID data. The overflow occurs in the heap memory region where the component array is allocated, allowing the attacker to overwrite adjacent memory locations and potentially execute arbitrary code or cause the Apache HTTP Server process to crash.

From an operational perspective, this vulnerability poses significant risk to organizations relying on Kerberos authentication through Apache servers, as it can be exploited remotely without requiring authentication credentials. The denial of service impact can result in complete service disruption, affecting legitimate users who depend on the authentication system. The vulnerability is particularly dangerous because it can be triggered through standard Kerberos authentication flows, making it difficult to distinguish between legitimate and malicious traffic. Attackers can leverage this flaw to repeatedly crash the authentication service, leading to prolonged availability issues that can compromise business operations and potentially provide cover for more sophisticated attacks.

The vulnerability aligns with CWE-121, Heap-based Buffer Overflow, and CWE-129, Improper Validation of Array Index, both of which are fundamental weaknesses in memory management and input validation. From an attack framework perspective, this vulnerability maps to the ATT&CK technique T1210, Exploitation of Remote Services, and T1499, Endpoint Denial of Service, as it enables attackers to cause system unavailability through crafted network messages. Organizations should prioritize immediate patching of affected systems, as the vulnerability affects a core authentication module that is widely deployed in enterprise environments. Additional mitigations include implementing network segmentation to limit access to Kerberos services, deploying intrusion detection systems to monitor for suspicious Kerberos traffic patterns, and configuring proper access controls to restrict which systems can initiate Kerberos authentication requests. The vulnerability demonstrates the importance of thorough input validation in cryptographic libraries and highlights the need for rigorous security testing of authentication modules that handle sensitive protocol data.

Reservation

11/20/2006

Disclosure

11/20/2006

Moderation

accepted

Entry

VDB-2703

CPE

ready

EPSS

0.03737

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!