If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.
You can download this advisory from the following link: https://packetstormsecurity.com/files/download/78091/CVE-2009-0033.txt
Source: https://packetstormsecurity.com/files/78091/Apache-Tomcat-Denial-Of-Service.html