tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] Apache Tomcat and the hashtable collision DoS vulnerability
Date Wed, 28 Dec 2011 22:28:16 GMT
You may have read about a recently announced vulnerability rooted in the
Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable
for storing HTTP request parameters, it is affected by this issue.

As per [1], it appears that Oracle will not be providing a fix for this
vulnerability with in the JRE.

Tomcat has implemented a work-around for this issue by providing a new
option (maxParameterCount) to limit the number of parameters processed
for a single request. This default limit is 10000: high enough to be
unlikely to affect any application; low enough to mitigate the effects
of the DoS.

The work-around is available in:
trunk
7.0.23 onwards
6.0.35 onwards

The work-around will also be available in 5.5.35 once released.

If using an earlier version of Apache Tomcat that does not have the
maxParameterCount attribute available, limiting the maxPostSize to a few
10's of kB should also mitigate the issue although it may cause issues
for some applications.

While this is not viewed as a vulnerability in Apache Tomcat, the Apache
Tomcat security team is making this announcement due to the high
likelihood that applications will be affected by this issue and to make
users aware of the available work-arounds.

The Apache Tomcat security team

[1] http://www.nruns.com/_downloads/advisory28122011.pdf

Mime
View raw message