Hi All I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to confirm some details if anyone can help. Based on reading the advisory and Tomcat patch code, it seems to me that the issue is simply slow processing when a very large number of parameters is received with a request. The JBoss Web patch we implemented for CVE-2011-4858 (hash DoS) limits the number of parameters that can be passed with a request to 512 by default. With this limit in place, I am unable to reproduce CVE-2012-0022 by passing in a very large number of parameters. I wanted to check whether handling a very large number of parameters is all that is required to resolve CVE-2012-0022, or whether there is something more to it that I have missed?
Thanks in advance -- David Jorm / Red Hat Security Response Team --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
