On 01/21/2012 07:16 PM, Remy Maucherat wrote:
On Sat, Jan 21, 2012 at 9:02 AM, David Jorm<dj...@redhat.com> wrote:
Hi All
I am working on resolving the CVE-2012-0022 DoS in JBoss Web, and I wanted to
confirm some details if anyone can help. Based on reading the advisory and
Tomcat patch code, it seems to me that the issue is simply slow processing when
a very large number of parameters is received with a request. The JBoss Web
patch we implemented for CVE-2011-4858 (hash DoS) limits the number of
parameters that can be passed with a request to 512 by default. With this limit
in place, I am unable to reproduce CVE-2012-0022 by passing in a very large
number of parameters. I wanted to check whether handling a very large number of
parameters is all that is required to resolve CVE-2012-0022, or whether there
is something more to it that I have missed?
JBoss Web and Tomcat are separate products, and issues are often dealt
with in different ways. Please do not bother the Tomcat community with
issues that do not concern them.
Rémy
Sorry, I think I unnecessarily confused things by mentioning JBoss Web.
The point of my question was to check whether my understanding of the
CVE-2012-0022 issue is complete, i.e. whether the issue is just slow
processing leading to a DoS when a very large number of parameters is
received with a request, or whether there is some further complexity
that I have overlooked. My understanding of Tomcat is incomplete, so I
just wanted to check whether my reading of the advisory and patch was
correct or not. The intent is to apply this understanding to fixing the
issue for JBoss Web, but that is decoupled from the question.
Thanks
David
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
