Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461. Reference: http://ocert.org/advisories/ocert-2011-003.html
External References: https://geronimo.apache.org/22x-security-report.html
Upstream issue: https://issues.apache.org/jira/browse/GERONIMO-6253
This vulnerability is out of security support scope for the following products: * Red Hat Jboss Fuse 6 * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: apache-geronimo is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However because the flaw is moderate, Red Hat will not be releasing a fix for the ODL package at this time.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2011-5034