tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: CVE-2012-0022 details
Date Sat, 21 Jan 2012 09:16:51 GMT
On Sat, Jan 21, 2012 at 9:02 AM, David Jorm <> wrote:
> Hi All
> I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to confirm
some details if anyone can help. Based on reading the advisory and Tomcat patch code, it seems
to me that the issue is simply slow processing when a very large number of parameters is received
with a request. The JBoss Web patch we implemented for CVE-2011-4858 (hash DoS) limits the
number of parameters that can be passed with a request to 512 by default. With this limit
in place, I am unable to reproduce CVE-2012-0022 by passing in a very large number of parameters.
I wanted to check whether handling a very large number of parameters is all that is required
to resolve CVE-2012-0022, or whether there is something more to it that I have missed?

JBoss Web and Tomcat are separate products, and issues are often dealt
with in different ways. Please do not bother the Tomcat community with
issues that do not concern them.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message