Bug 750521 (CVE-2011-4084, CVE-2011-4858)

Summary: CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aogburn, awnuk, ccoleman, daxiezhi, djorm, dknox, jdennis, jlee, jpazdziora, mfuruta, mharmsen, mhasko, ole.d, patrickm, pcheung, sappleto, security-response-team, tkramer, tromey, vdanen, yohmura
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20111228,reported=20111101,source=distros,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/tomcat5=affected,rhel-6/tomcat6=affected,jbews-1/tomcat5=affected,jbews-1/tomcat6=affected,RHDS3/Platform=wontfix,certificate_system_7.3/Tomcat=wontfix,rhn_satellite_5.4/tomcat5=notaffected,fedora-all/tomcat5=affected,fedora-all/tomcat6=affected,openshift-1/tomcat6=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-06 06:18:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 751657, 751658, 751659, 751660, 751661, 751662, 751663, 751664, 751665, 751666, 771526, 771532    
Bug Blocks: 770929, 750525, 795277, 804887, 810065, 811419    

Description Jan Lieskovsky 2011-11-01 13:21:09 UTC
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #750533 for details.  This issue can be used to mount an efficient denial of service attack against Tomcat application server, that parses HTTP request parameters to a hash table and hence exposes this problem.  A remote attack could use that to make Tomcat java process use an excessive amount of CPU time by sending a POST request with large amount of parameters which hash to the same value.

Comment 2 Jan Lieskovsky 2011-11-01 13:29:04 UTC
Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters.

Comment 18 Tomas Hoger 2011-12-29 13:18:53 UTC
As the issue is currently not planned to be addressed in the Java hash table implementation (see bug #750533, comment #12), Tomcat upstream has added a workaround to protect against this issue.  Tomcat patch introduces support for new connectors parameter - maxParameterCount - which limits the number of parameters processed for a single request.  The default value of 10000 is believed to be high enough to not introduce regression for existing applications and should also mitigate the attack sufficiently.  See upstream announcement for details:

http://markmail.org/thread/jni4gb5biaolh66t

Related upstream commits in various SVN branches:

tomcat-7.0.x
http://svn.apache.org/viewvc?view=revision&revision=1189899
http://svn.apache.org/viewvc?view=revision&revision=1190372
http://svn.apache.org/viewvc?view=revision&revision=1190482
http://svn.apache.org/viewvc?view=revision&revision=1194917
http://svn.apache.org/viewvc?view=revision&revision=1195225
http://svn.apache.org/viewvc?view=revision&revision=1195226
http://svn.apache.org/viewvc?view=revision&revision=1195537
http://svn.apache.org/viewvc?view=revision&revision=1195909
http://svn.apache.org/viewvc?view=revision&revision=1195944
http://svn.apache.org/viewvc?view=revision&revision=1195951
http://svn.apache.org/viewvc?view=revision&revision=1195977
http://svn.apache.org/viewvc?view=revision&revision=1198641
http://svn.apache.org/viewvc?view=revision&revision=1200184
http://svn.apache.org/viewvc?view=revision&revision=1200186
http://svn.apache.org/viewvc?view=revision&revision=1200218
http://svn.apache.org/viewvc?view=revision&revision=1200318
http://svn.apache.org/viewvc?view=revision&revision=1200321
http://svn.apache.org/viewvc?view=revision&revision=1202708
http://svn.apache.org/viewvc?view=revision&revision=1224665

tomcat-6.0.x
http://svn.apache.org/viewvc?view=revision&revision=1200601
http://svn.apache.org/viewvc?view=revision&revision=1206324

tomcat-5.5x
http://svn.apache.org/viewvc?view=revision&revision=1221282
http://svn.apache.org/viewvc?view=revision&revision=1224640

Comment 19 Tomas Hoger 2011-12-29 17:05:18 UTC
(In reply to comment #18)
> http://markmail.org/thread/jni4gb5biaolh66t

As noted in upstream post, maxParameterCount is available in 7.0.23 and 6.0.35, and should be available in 5.5.35 once released.

Comment 23 Vincent Danen 2012-01-03 20:57:05 UTC
oCERT made a mistake when publishing the CVE name.  The CVE name for this flaw is _not_ CVE-2011-4084, it should have been CVE-2011-4858.  I have updated the bug to reflect this.

CVE-2011-4084 will not be used.

Comment 24 David Jorm 2012-01-03 23:50:46 UTC
JBoss Web is affected by this flaw. The impact is restricted by JBoss Web's limit on the total size of a POST message.

Comment 27 Vincent Danen 2012-01-05 14:39:54 UTC
Upstream announcement:

http://markmail.org/message/jni4gb5biaolh66t

Comment 35 Vincent Danen 2012-01-17 23:40:08 UTC
I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using CVE-2012-0022 _instead_ of CVE-2011-4858 then?

I'm adding the CVE alias to this bug, but we probably should find out whether or not upstream is even using CVE-2011-4858 for anything now, or if this is supposed to be two overlapping CVEs.

Comment 36 Tomas Hoger 2012-01-18 08:34:18 UTC
(In reply to comment #35)
> I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using
> CVE-2012-0022 _instead_ of CVE-2011-4858 then?

No, my understanding is that while fixing hashdos issue (CVE-2011-4858), upstream discovered other issues / inefficiencies in the parameter parsing code.  This is confirmed by the CVE-2012-0022 announcement:

  http://markmail.org/thread/c4bvywhk5euqvv7x

  Analysis of the recent hash collision vulnerability identified unrelated
  inefficiencies with Apache Tomcat's handling of large numbers of parameters
  and parameter values.

All issues were apparently fixed together and the hashdos fix was publicly acknowledged at the same time all other hashdos issues were made public, but these other issues were not mentioned publicly before yesterday announcement.

We should track CVE-2012-0022 via a separate bug.

Comment 37 errata-xmlrpc 2012-01-19 17:22:30 UTC
This issue has been addressed in following products:

   JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html

Comment 38 Vincent Danen 2012-01-21 00:03:42 UTC
Bug #783359 was filed to address CVE-2012-0022.

Comment 41 errata-xmlrpc 2012-01-31 23:04:20 UTC
This issue has been addressed in following products:

  JBoss Communications Platform 5.1.3

Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html

Comment 42 errata-xmlrpc 2012-01-31 23:06:41 UTC
This issue has been addressed in following products:

   JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html

Comment 43 errata-xmlrpc 2012-01-31 23:07:03 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5

Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html

Comment 44 errata-xmlrpc 2012-01-31 23:07:24 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html

Comment 45 errata-xmlrpc 2012-01-31 23:07:50 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5

Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html

Comment 47 errata-xmlrpc 2012-02-01 21:58:52 UTC
This issue has been addressed in following products:

  JBoss Operations Network 2.4.2

Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html

Comment 48 errata-xmlrpc 2012-02-02 22:20:23 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3 CP07

Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html

Comment 53 errata-xmlrpc 2012-02-22 05:11:19 UTC
This issue has been addressed in following products:

JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html

Comment 59 errata-xmlrpc 2012-03-20 17:09:15 UTC
This issue has been addressed in following products:

  JBoss Operations Network 3.0.1

Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html

Comment 65 errata-xmlrpc 2012-04-11 17:17:21 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0475 https://rhn.redhat.com/errata/RHSA-2012-0475.html

Comment 66 errata-xmlrpc 2012-04-11 17:17:45 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0474 https://rhn.redhat.com/errata/RHSA-2012-0474.html

Comment 68 errata-xmlrpc 2012-05-21 16:33:11 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html

Comment 69 errata-xmlrpc 2012-05-21 16:34:20 UTC
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html

Comment 70 errata-xmlrpc 2012-05-21 16:41:44 UTC
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html

Comment 71 errata-xmlrpc 2012-05-21 16:52:43 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html