Bug 750521 (CVE-2011-4084, CVE-2011-4858)
Summary: | CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aogburn, awnuk, ccoleman, daxiezhi, djorm, dknox, jdennis, jlee, jpazdziora, mfuruta, mharmsen, mhasko, ole.d, patrickm, pcheung, sappleto, security-response-team, tkramer, tromey, vdanen, yohmura |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-06 06:18:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 751657, 751658, 751659, 751660, 751661, 751662, 751663, 751664, 751665, 751666, 771526, 771532 | ||
Bug Blocks: | 750525, 770929, 795277, 804887, 810065, 811419 |
Description
Jan Lieskovsky
2011-11-01 13:21:09 UTC
Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters. This issue was presented on 28C3: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html Details were posted to full-disclosure: http://seclists.org/fulldisclosure/2011/Dec/477 oCERT advisory: http://www.ocert.org/advisories/ocert-2011-003.html n.runs advisory (copy of the full-disclosure post): http://www.nruns.com/_downloads/advisory28122011.pdf 28C3 slides and recording: http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf http://www.youtube.com/28c3#p/u/22/R2Cq3CLI6H8 Another good write-up of the issue: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ As the issue is currently not planned to be addressed in the Java hash table implementation (see bug #750533, comment #12), Tomcat upstream has added a workaround to protect against this issue. Tomcat patch introduces support for new connectors parameter - maxParameterCount - which limits the number of parameters processed for a single request. The default value of 10000 is believed to be high enough to not introduce regression for existing applications and should also mitigate the attack sufficiently. See upstream announcement for details: http://markmail.org/thread/jni4gb5biaolh66t Related upstream commits in various SVN branches: tomcat-7.0.x http://svn.apache.org/viewvc?view=revision&revision=1189899 http://svn.apache.org/viewvc?view=revision&revision=1190372 http://svn.apache.org/viewvc?view=revision&revision=1190482 http://svn.apache.org/viewvc?view=revision&revision=1194917 http://svn.apache.org/viewvc?view=revision&revision=1195225 http://svn.apache.org/viewvc?view=revision&revision=1195226 http://svn.apache.org/viewvc?view=revision&revision=1195537 http://svn.apache.org/viewvc?view=revision&revision=1195909 http://svn.apache.org/viewvc?view=revision&revision=1195944 http://svn.apache.org/viewvc?view=revision&revision=1195951 http://svn.apache.org/viewvc?view=revision&revision=1195977 http://svn.apache.org/viewvc?view=revision&revision=1198641 http://svn.apache.org/viewvc?view=revision&revision=1200184 http://svn.apache.org/viewvc?view=revision&revision=1200186 http://svn.apache.org/viewvc?view=revision&revision=1200218 http://svn.apache.org/viewvc?view=revision&revision=1200318 http://svn.apache.org/viewvc?view=revision&revision=1200321 http://svn.apache.org/viewvc?view=revision&revision=1202708 http://svn.apache.org/viewvc?view=revision&revision=1224665 tomcat-6.0.x http://svn.apache.org/viewvc?view=revision&revision=1200601 http://svn.apache.org/viewvc?view=revision&revision=1206324 tomcat-5.5x http://svn.apache.org/viewvc?view=revision&revision=1221282 http://svn.apache.org/viewvc?view=revision&revision=1224640 (In reply to comment #18) > http://markmail.org/thread/jni4gb5biaolh66t As noted in upstream post, maxParameterCount is available in 7.0.23 and 6.0.35, and should be available in 5.5.35 once released. oCERT made a mistake when publishing the CVE name. The CVE name for this flaw is _not_ CVE-2011-4084, it should have been CVE-2011-4858. I have updated the bug to reflect this. CVE-2011-4084 will not be used. JBoss Web is affected by this flaw. The impact is restricted by JBoss Web's limit on the total size of a POST message. Upstream announcement: http://markmail.org/message/jni4gb5biaolh66t (In reply to comment #18) Patches for CVE-2011-4858 overlap with patches for CVE-2012-0022. > tomcat-6.0.x > http://svn.apache.org/viewvc?view=revision&revision=1200601 > http://svn.apache.org/viewvc?view=revision&revision=1206324 http://svn.apache.org/viewvc?view=rev&rev=1229027 > tomcat-5.5x > http://svn.apache.org/viewvc?view=revision&revision=1221282 > http://svn.apache.org/viewvc?view=revision&revision=1224640 http://svn.apache.org/viewvc?view=rev&rev=1228191 I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using CVE-2012-0022 _instead_ of CVE-2011-4858 then? I'm adding the CVE alias to this bug, but we probably should find out whether or not upstream is even using CVE-2011-4858 for anything now, or if this is supposed to be two overlapping CVEs. (In reply to comment #35) > I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using > CVE-2012-0022 _instead_ of CVE-2011-4858 then? No, my understanding is that while fixing hashdos issue (CVE-2011-4858), upstream discovered other issues / inefficiencies in the parameter parsing code. This is confirmed by the CVE-2012-0022 announcement: http://markmail.org/thread/c4bvywhk5euqvv7x Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. All issues were apparently fixed together and the hashdos fix was publicly acknowledged at the same time all other hashdos issues were made public, but these other issues were not mentioned publicly before yesterday announcement. We should track CVE-2012-0022 via a separate bug. This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0 CP10 Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html Bug #783359 was filed to address CVE-2012-0022. This issue has been addressed in following products: JBoss Communications Platform 5.1.3 Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html This issue has been addressed in following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html This issue has been addressed in following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html This issue has been addressed in following products: JBoss Operations Network 2.4.2 Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3 CP07 Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0 Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html This issue has been addressed in following products: JBoss Operations Network 3.0.1 Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0475 https://rhn.redhat.com/errata/RHSA-2012-0475.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0474 https://rhn.redhat.com/errata/RHSA-2012-0474.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html |