Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Apache Tomcat Hash Table Collision Denial of Service Vulnerability

 
Threat Type:CWE-399: Resource Management Errors
IntelliShield ID:24901
Version:12
First Published:2012 January 06 20:16 GMT
Last Published:2013 April 02 15:49 GMT
Port: Not available
CVE:CVE-2011-4858
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.2
 
Version Summary:HP has released an additional security bulletin and updated software to address the Apache Tomcat hash table collision denial of service vulnerability.
 
 
Description
Apache Tomcat contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability is due to an error in the implementation of the hash table that is used by the affected software to store HTTP request parameters. An unauthenticated, remote attacker could exploit the vulnerability by submitting malformed HTTP requests to the affected software. Processing the requests could cause the application to consume excessive CPU resources, resulting in a DoS condition.

Apache has confirmed the vulnerability and released updated software.
 
Warning Indicators
Apache Tomcat Java Server versions prior to 6.0.35 and versions prior to 7.0.23 are vulnerable.
 
IntelliShield Analysis
To exploit the vulnerability, an attacker is required to submit crafted requests to the affected application. Typically, these applications would be hosted internally and accessible only according to firewall restrictions. As a result, an attacker would need access to a trusted, internal network to create the exploit.

The vendor has mitigated the vulnerability by introducing a parameter named maxParameterCount that limits the number of parameters processed for a single HTTP request.

Additional information about the hash table collision vulnerability is documented in IntelliShield Alert 24871.
 
Vendor Announcements
Apache has released a security announcement at the following link: Apache Tomcat and the hashtable collision DoS vulnerability

HP has released security bulletins c03127140, c03231290, and c03716627 at the following links: HPSBMU02736 SSRT100699, HPSBMU02747 SSRT100771, and HPSBUX02860 SSRT101146

Oracle has released a security advisory at the following links: CVE-2011-4858

Red Hat has released security advisories at the following links: RHSA-2012:0041, RHSA-2012-0074, RHSA-2012-0075, RHSA-2012-0076, RHSA-2012-0077, RHSA-2012-0078, RHSA-2012:0091, RHSA-2012-0325, RHSA-2012:0406, RHSA-2012:0474, RHSA-2012:0475, RHSA-2012:0680, and RHSA-2012:0682
 
Impact
An unauthenticated, remote attacker could exploit the vulnerability to cause an application that is using the Apache Tomcat framework to consume excessive CPU resources, resulting in a DoS condition.
 
Technical Information
The vulnerability is due to incorrect implementation of the hash table used by the affected software. The hash table is used to map the entries with key values related to the HTTP request parameters. Due to the flaw, excessive CPU resources could be used while performing a hash table lookup if a large number of HTTP requests that are designed to generate colliding key values are submitted to an affected application.

An unauthenticated, remote attacker could exploit the vulnerability by submitting a large number of malformed HTTP requests to the Tomcat Java-based application. Processing the requests could trigger a DoS condition because of the colliding key values in the hash table.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.
 
Patches/Software
Apache has released updated software at the following links:
Tomcat 6.0.35
Tomcat 7.0.23
CentOS packages can be updated using the up2date or yum command.

HP users are advised to follow mitigation steps as mentioned in the vendor advisory.

HP users are advised to apply hotfix SSRT100771 by contacting normal HP Services support channel.

HP has released updated software at the following links:
HP-UX Apache Tomcat Servlet Engine 5.5.36.01
HP-UX_11.23_HPUXWS22T-B5536-1123.depot
HP-UX_11.31_HPUXWS22T-B5536-1131.depot
Oracle has released patches for registered users at the following links:
SPARC
Solaris 10 with patch 122911-29 or later

Intel
Solaris 10 with patch 122912-29 or later

Solaris 11 11/11 SRU 4
Oracle customers are advised to acquire the Solaris 9 patches via normal Oracle support channels.

Red Hat packages can be updated using the up2date or yum command.

Registered customers are advised to log in to the Red Hat Customer Portal and obtain the following update: JBoss Operations Network 3.0.1

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
41466/0Apache Tomcat Hash Table Denial of ServiceS6232012 Feb 02 
 
Alert History
 
Version 11, May 22, 2012, 7:49 PM: Red Hat has released additional security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 10, April 12, 2012, 1:22 PM: Red Hat has released additional security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability. CentOS has also released updated packages to address this vulnerability.

Version 9, April 6, 2012, 4:17 PM: Oracle has released a security advisory and patches to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 8, March 28, 2012, 8:58 AM: HP has released an additional security bulletin and updated software to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 7, March 21, 2012, 1:32 PM: Red Hat has released an additional security advisory and software updates to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 6, February 23, 2012, 2:03 PM: Red Hat has released an additional security advisory and updated package to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 5, February 7, 2012, 1:24 PM: HP has released a security bulletin to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 4, February 6, 2012, 12:26 PM: Red Hat has released security advisories and updated packages to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 3, February 2, 2012, 11:56 AM: Red Hat has released security advisories and updated packages for JBoss Enterprise Application Platforms to address the Apache Tomcat hash table collision denial of service vulnerability.

Version 2, January 20, 2012, 9:07 PM: Red Hat has released a security advisory and updated packages to address the Apache Tomcat Hash Table collision denial of service vulnerability.

Version 1, January 6, 2012, 3:16 PM: Apache Tomcat contains a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service condition. Updates are available.


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
The Jakarta ProjectTomcat Java Server 6.0.0 Base | 6.0.1 Base | 6.0.2 Base | 6.0.3 Base | 6.0.4 Base | 6.0.5 Base | 6.0.6 Base | 6.0.7 Base | 6.0.8 Base | 6.0.9 Base | 6.0.10 Base | 6.0.11 Base | 6.0.12 Base | 6.0.13 Base | 6.0.14 Base | 6.0.15 Base | 6.0.16 Base | 6.0.18 Base | 6.0.19 Base | 6.0.20 Base | 6.0.21 Base | 6.0.22 Base | 6.0.23 Base | 6.0.24 Base | 6.0.25 Base | 6.0.26 Base | 6.0.27 Base | 6.0.28 Base | 6.0.29 Base | 6.0.30 Base | 6.0.31 Base | 6.0.32 Base | 6.0.33 Base | 6.0.34 Base | 7.0 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22

Associated Products:
CentOS ProjectCentOS 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64 | 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
HPBusiness Availability Center 8.0 Base | 8.01 Base | 8.02 Base | 8.03 Base | 8.04 Base | 8.05 Base | 8.06 Base | 8.07 Base
HPBusiness Service Management 9.00 Base | 9.01 Base | 9.10 Base | 9.11 Base | 9.12 Base
HPHP OpenView Network Node Manager (NNM) 7.53 Base
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
HPHP-UX Tomcat-based Servlet Engine (hpuxwsTOMCAT) 5.5.23.00 Base | 5.5.23.01 Base | 5.5.23.01.1 Base | 5.5.27 .00, .01.01 | 5.5.35 .01
Oracle CorporationSolaris Express 11 2010.11
Red Hat, Inc.JBoss Enterprise Application Platform 4.3.0 EL4, EL5 | 5 EL4 IA-32, x86_64 | 5 EL5 IA-32, x86_64 | 5 EL6 IA-32, x86_64
Red Hat, Inc.JBoss Enterprise Web Server EL5 IA-32, x86_64 | EL6 IA-32, x86_64
Red Hat, Inc.JBoss Operations Network 3.0 Base
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server AUS 6.2 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server 6 IA-32, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server EUS 6.2.z IA-32, PPC, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 6 IA-32, x86_64
Sun Microsystems, Inc.Solaris 9 sparc, intel | 10 sparc, x64/x86




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield