You are here

U-072:Apache Tomcat Hash Table Collision Bug Lets Remote Users Deny Service

December 30, 2011 - 9:15am

Addthis

PROBLEM:

Apache Tomcat Hash Table Collision Bug Lets Remote Users Deny Service

PLATFORM:

apache Tomcat 5.5.34, 6.0.34, 7.0.22; and prior versions

aBSTRACT:

A remote user can cause performance to degrade on the target server.

reference LINKS:

Apache Tomcat Security Alert
SecurityTracker Alert ID: 1026477
nruns Advisory SA-2011.004
Secunia Advisory SA47411
CVE-2011-4084

IMPACT ASSESSMENT:

Medium

Discussion:

A vulnerability was reported in Apache Tomcat. A remote user can cause denial of service conditions. A remote user can send specially crafted POST request values to trigger hash collisions and cause significant performance degradation on the target server.

Impact:

The vulnerability is caused due to an error within a hash generation function when hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request.

Solution:

Apache Tomcat Released

Addthis