HP has released an additional security bulletin and updated software to address the Apache Tomcat hash table collision denial of service vulnerability.
Description
Apache Tomcat contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.
The vulnerability is due to an error in the implementation of the hash table that is used by the affected software to store HTTP request parameters. An unauthenticated, remote attacker could exploit the vulnerability by submitting malformed HTTP requests to the affected software. Processing the requests could cause the application to consume excessive CPU resources, resulting in a DoS condition.
Apache has confirmed the vulnerability and released updated software.
Warning Indicators
Apache Tomcat Java Server versions prior to 6.0.35 and versions prior to 7.0.23 are vulnerable.
IntelliShield Analysis
To exploit the vulnerability, an attacker is required to submit crafted requests to the affected application. Typically, these applications would be hosted internally and accessible only according to firewall restrictions. As a result, an attacker would need access to a trusted, internal network to create the exploit.
The vendor has mitigated the vulnerability by introducing a parameter named maxParameterCount that limits the number of parameters processed for a single HTTP request.
Additional information about the hash table collision vulnerability is documented in IntelliShield Alert 24871.
An unauthenticated, remote attacker could exploit the vulnerability to cause an application that is using the Apache Tomcat framework to consume excessive CPU resources, resulting in a DoS condition.
Technical Information
The vulnerability is due to incorrect implementation of the hash table used by the affected software. The hash table is used to map the entries with key values related to the HTTP request parameters. Due to the flaw, excessive CPU resources could be used while performing a hash table lookup if a large number of HTTP requests that are designed to generate colliding key values are submitted to an affected application.
An unauthenticated, remote attacker could exploit the vulnerability by submitting a large number of malformed HTTP requests to the Tomcat Java-based application. Processing the requests could trigger a DoS condition because of the colliding key values in the hash table.
Safeguards
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
Patches/Software
Apache has released updated software at the following links:
Version 11, May 22, 2012, 7:49 PM: Red Hat has released additional security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 10, April 12, 2012, 1:22 PM: Red Hat has released additional security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability. CentOS has also released updated packages to address this vulnerability.
Version 9, April 6, 2012, 4:17 PM: Oracle has released a security advisory and patches to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 8, March 28, 2012, 8:58 AM: HP has released an additional security bulletin and updated software to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 7, March 21, 2012, 1:32 PM: Red Hat has released an additional security advisory and software updates to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 6, February 23, 2012, 2:03 PM: Red Hat has released an additional security advisory and updated package to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 5, February 7, 2012, 1:24 PM: HP has released a security bulletin to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 4, February 6, 2012, 12:26 PM: Red Hat has released security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 3, February 2, 2012, 11:56 AM: Red Hat has released security advisories and updated packages for JBoss Enterprise Application Platforms to address the Apache Tomcat hash table collision denial of service vulnerability.
Version 2, January 20, 2012, 9:07 PM: Red Hat has released a security advisory and updated packages to address the Apache Tomcat Hash Table collision denial of service vulnerability.
Version 1, January 6, 2012, 3:16 PM: Apache Tomcat contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.
The security vulnerability applies to the following combinations of products.
Primary Products:
The Jakarta Project
Tomcat Java Server
6.0.0 Base | 6.0.1 Base | 6.0.10 Base | 6.0.11 Base | 6.0.12 Base | 6.0.13 Base | 6.0.14 Base | 6.0.15 Base | 6.0.16 Base | 6.0.18 Base | 6.0.19 Base | 6.0.2 Base | 6.0.20 Base | 6.0.21 Base | 6.0.22 Base | 6.0.23 Base | 6.0.24 Base | 6.0.25 Base | 6.0.26 Base | 6.0.27 Base | 6.0.28 Base | 6.0.29 Base | 6.0.3 Base | 6.0.30 Base | 6.0.31 Base | 6.0.32 Base | 6.0.33 Base | 6.0.34 Base | 6.0.4 Base | 6.0.5 Base | 6.0.6 Base | 6.0.7 Base | 6.0.8 Base | 6.0.9 Base | 7.0 .1, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .2, .20, .21, .22, .3, .4, .5, .6, .7, .8, .9, Base
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
