Return-Path: X-Original-To: apmail-tomcat-dev-archive@www.apache.org Delivered-To: apmail-tomcat-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8AD9691B6 for ; Wed, 28 Dec 2011 22:28:24 +0000 (UTC) Received: (qmail 4056 invoked by uid 500); 28 Dec 2011 22:28:19 -0000 Delivered-To: apmail-tomcat-dev-archive@tomcat.apache.org Received: (qmail 3879 invoked by uid 500); 28 Dec 2011 22:28:19 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 3848 invoked by uid 99); 28 Dec 2011 22:28:19 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Dec 2011 22:28:19 +0000 Received: from localhost (HELO s2laptop.dev.local) (127.0.0.1) (smtp-auth username markt, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Dec 2011 22:28:19 +0000 Message-ID: <4EFB9800.5010106@apache.org> Date: Wed, 28 Dec 2011 22:28:16 +0000 From: Mark Thomas User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Tomcat Users List CC: announce@tomcat.apache.org, announce@apache.org, Tomcat Developers List Subject: [SECURITY] Apache Tomcat and the hashtable collision DoS vulnerability X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit You may have read about a recently announced vulnerability rooted in the Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable for storing HTTP request parameters, it is affected by this issue. As per [1], it appears that Oracle will not be providing a fix for this vulnerability with in the JRE. Tomcat has implemented a work-around for this issue by providing a new option (maxParameterCount) to limit the number of parameters processed for a single request. This default limit is 10000: high enough to be unlikely to affect any application; low enough to mitigate the effects of the DoS. The work-around is available in: trunk 7.0.23 onwards 6.0.35 onwards The work-around will also be available in 5.5.35 once released. If using an earlier version of Apache Tomcat that does not have the maxParameterCount attribute available, limiting the maxPostSize to a few 10's of kB should also mitigate the issue although it may cause issues for some applications. While this is not viewed as a vulnerability in Apache Tomcat, the Apache Tomcat security team is making this announcement due to the high likelihood that applications will be affected by this issue and to make users aware of the available work-arounds. The Apache Tomcat security team [1] http://www.nruns.com/_downloads/advisory28122011.pdf --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org