Bug 750521 - (CVE-2011-4084, CVE-2011-4858) CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20111228,repor...
: Security
Depends On: 751657 751658 751659 751660 751661 751662 751663 751664 751665 751666 771526 771532
Blocks: hashdos/oCERT-2011-003 750525 795277 804887 810065 811419
  Show dependency treegraph
 
Reported: 2011-11-01 09:21 EDT by Jan Lieskovsky
Modified: 2015-07-31 02:45 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-06 02:18:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-11-01 09:21:09 EDT
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #750533 for details.  This issue can be used to mount an efficient denial of service attack against Tomcat application server, that parses HTTP request parameters to a hash table and hence exposes this problem.  A remote attack could use that to make Tomcat java process use an excessive amount of CPU time by sending a POST request with large amount of parameters which hash to the same value.
Comment 2 Jan Lieskovsky 2011-11-01 09:29:04 EDT
Acknowledgements:

Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters.
Comment 18 Tomas Hoger 2011-12-29 08:18:53 EST
As the issue is currently not planned to be addressed in the Java hash table implementation (see bug #750533, comment #12), Tomcat upstream has added a workaround to protect against this issue.  Tomcat patch introduces support for new connectors parameter - maxParameterCount - which limits the number of parameters processed for a single request.  The default value of 10000 is believed to be high enough to not introduce regression for existing applications and should also mitigate the attack sufficiently.  See upstream announcement for details:

http://markmail.org/thread/jni4gb5biaolh66t

Related upstream commits in various SVN branches:

tomcat-7.0.x
http://svn.apache.org/viewvc?view=revision&revision=1189899
http://svn.apache.org/viewvc?view=revision&revision=1190372
http://svn.apache.org/viewvc?view=revision&revision=1190482
http://svn.apache.org/viewvc?view=revision&revision=1194917
http://svn.apache.org/viewvc?view=revision&revision=1195225
http://svn.apache.org/viewvc?view=revision&revision=1195226
http://svn.apache.org/viewvc?view=revision&revision=1195537
http://svn.apache.org/viewvc?view=revision&revision=1195909
http://svn.apache.org/viewvc?view=revision&revision=1195944
http://svn.apache.org/viewvc?view=revision&revision=1195951
http://svn.apache.org/viewvc?view=revision&revision=1195977
http://svn.apache.org/viewvc?view=revision&revision=1198641
http://svn.apache.org/viewvc?view=revision&revision=1200184
http://svn.apache.org/viewvc?view=revision&revision=1200186
http://svn.apache.org/viewvc?view=revision&revision=1200218
http://svn.apache.org/viewvc?view=revision&revision=1200318
http://svn.apache.org/viewvc?view=revision&revision=1200321
http://svn.apache.org/viewvc?view=revision&revision=1202708
http://svn.apache.org/viewvc?view=revision&revision=1224665

tomcat-6.0.x
http://svn.apache.org/viewvc?view=revision&revision=1200601
http://svn.apache.org/viewvc?view=revision&revision=1206324

tomcat-5.5x
http://svn.apache.org/viewvc?view=revision&revision=1221282
http://svn.apache.org/viewvc?view=revision&revision=1224640
Comment 19 Tomas Hoger 2011-12-29 12:05:18 EST
(In reply to comment #18)
> http://markmail.org/thread/jni4gb5biaolh66t

As noted in upstream post, maxParameterCount is available in 7.0.23 and 6.0.35, and should be available in 5.5.35 once released.
Comment 23 Vincent Danen 2012-01-03 15:57:05 EST
oCERT made a mistake when publishing the CVE name.  The CVE name for this flaw is _not_ CVE-2011-4084, it should have been CVE-2011-4858.  I have updated the bug to reflect this.

CVE-2011-4084 will not be used.
Comment 24 David Jorm 2012-01-03 18:50:46 EST
JBoss Web is affected by this flaw. The impact is restricted by JBoss Web's limit on the total size of a POST message.
Comment 27 Vincent Danen 2012-01-05 09:39:54 EST
Upstream announcement:

http://markmail.org/message/jni4gb5biaolh66t
Comment 35 Vincent Danen 2012-01-17 18:40:08 EST
I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using CVE-2012-0022 _instead_ of CVE-2011-4858 then?

I'm adding the CVE alias to this bug, but we probably should find out whether or not upstream is even using CVE-2011-4858 for anything now, or if this is supposed to be two overlapping CVEs.
Comment 36 Tomas Hoger 2012-01-18 03:34:18 EST
(In reply to comment #35)
> I see no mention of CVE-2011-4858 at all on the Tomcat site; are they using
> CVE-2012-0022 _instead_ of CVE-2011-4858 then?

No, my understanding is that while fixing hashdos issue (CVE-2011-4858), upstream discovered other issues / inefficiencies in the parameter parsing code.  This is confirmed by the CVE-2012-0022 announcement:

  http://markmail.org/thread/c4bvywhk5euqvv7x

  Analysis of the recent hash collision vulnerability identified unrelated
  inefficiencies with Apache Tomcat's handling of large numbers of parameters
  and parameter values.

All issues were apparently fixed together and the hashdos fix was publicly acknowledged at the same time all other hashdos issues were made public, but these other issues were not mentioned publicly before yesterday announcement.

We should track CVE-2012-0022 via a separate bug.
Comment 37 errata-xmlrpc 2012-01-19 12:22:30 EST
This issue has been addressed in following products:

   JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html
Comment 38 Vincent Danen 2012-01-20 19:03:42 EST
Bug #783359 was filed to address CVE-2012-0022.
Comment 41 errata-xmlrpc 2012-01-31 18:04:20 EST
This issue has been addressed in following products:

  JBoss Communications Platform 5.1.3

Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html
Comment 42 errata-xmlrpc 2012-01-31 18:06:41 EST
This issue has been addressed in following products:

   JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html
Comment 43 errata-xmlrpc 2012-01-31 18:07:03 EST
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5

Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html
Comment 44 errata-xmlrpc 2012-01-31 18:07:24 EST
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html
Comment 45 errata-xmlrpc 2012-01-31 18:07:50 EST
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5

Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html
Comment 47 errata-xmlrpc 2012-02-01 16:58:52 EST
This issue has been addressed in following products:

  JBoss Operations Network 2.4.2

Via RHSA-2012:0089 https://rhn.redhat.com/errata/RHSA-2012-0089.html
Comment 48 errata-xmlrpc 2012-02-02 17:20:23 EST
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3 CP07

Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html
Comment 53 errata-xmlrpc 2012-02-22 00:11:19 EST
This issue has been addressed in following products:

JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html
Comment 59 errata-xmlrpc 2012-03-20 13:09:15 EDT
This issue has been addressed in following products:

  JBoss Operations Network 3.0.1

Via RHSA-2012:0406 https://rhn.redhat.com/errata/RHSA-2012-0406.html
Comment 65 errata-xmlrpc 2012-04-11 13:17:21 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0475 https://rhn.redhat.com/errata/RHSA-2012-0475.html
Comment 66 errata-xmlrpc 2012-04-11 13:17:45 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0474 https://rhn.redhat.com/errata/RHSA-2012-0474.html
Comment 68 errata-xmlrpc 2012-05-21 12:33:11 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html
Comment 69 errata-xmlrpc 2012-05-21 12:34:20 EDT
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html
Comment 70 errata-xmlrpc 2012-05-21 12:41:44 EDT
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html
Comment 71 errata-xmlrpc 2012-05-21 12:52:43 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html

Note You need to log in before you can comment on or make changes to this bug.