On Sat, Jan 21, 2012 at 9:02 AM, David Jorm <dj...@redhat.com> wrote: > Hi All > > I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to > confirm some details if anyone can help. Based on reading the advisory and > Tomcat patch code, it seems to me that the issue is simply slow processing > when a very large number of parameters is received with a request. The JBoss > Web patch we implemented for CVE-2011-4858 (hash DoS) limits the number of > parameters that can be passed with a request to 512 by default. With this > limit in place, I am unable to reproduce CVE-2012-0022 by passing in a very > large number of parameters. I wanted to check whether handling a very large > number of parameters is all that is required to resolve CVE-2012-0022, or > whether there is something more to it that I have missed? >
JBoss Web and Tomcat are separate products, and issues are often dealt with in different ways. Please do not bother the Tomcat community with issues that do not concern them. Rémy --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
