Fedora Account System
Red Hat Associate
Red Hat Customer
Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461. Reference: http://ocert.org/advisories/ocert-2011-003.html
External References: https://geronimo.apache.org/22x-security-report.html
Upstream issue: https://issues.apache.org/jira/browse/GERONIMO-6253
This vulnerability is out of security support scope for the following products: * Red Hat Jboss Fuse 6 * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: apache-geronimo is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However because the flaw is moderate, Red Hat will not be releasing a fix for the ODL package at this time.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2011-5034