Christopher Schultz <ch...@christopherschultz.net> wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >David, > >On 1/21/12 3:02 AM, David Jorm wrote: >> Based on reading the advisory and Tomcat patch code, it seems to me >> that the issue is simply slow processing when a very large number >> of parameters is received with a request. > >The parameter names must have colliding hash code values in order to >exercise this particular vulnerability. Otherwise, large numbers of >request parameters is merely a potential memory exhaustion >vulnerability (which is a different issue).
No, no, no. That is completely wrong. CVE-2012-0022 is solely about the number of parameters and NOTHING TO DO WITH HASH COLLISIONS. >> The JBoss Web patch we implemented for CVE-2011-4858 (hash DoS) >> limits the number of parameters that can be passed with a request >> to 512 by default. > >Limiting the number of request parameters is one mitigating technique. >Tomcat uses 10000 as the default limit which seems reasonable for most >users and, of course, can be raised or lowered if necessary. Limiting the number of parameters provides defence against *any* attack vector that depends on a large number of parameters. The limit was primarily put in place to protect against hash collisions not CVE-2012-0022 although it does go a long way to protect against this issue too. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
