Apache Tomcat Hash Collision Denial Of Service Vulnerability Network Vulnerability

Summary

The host is running Apache Tomcat Server and is prone to denial of service vulnerability.

Impact

Successful exploitation could allow remote attackers to cause a denial of service via a specially crafted form sent in a HTTP POST request. Impact Level: Application.

Solution

Apply patch or upgrade Apache Tomcat to 5.5.35, 6.0.35, 7.0.23 or later, For updates refer to http://tomcat.apache.org/ ***** NOTE: Ignore this warning, if above mentioned patch is manually applied. *****

Insight

The flaw is due to an error within a hash generation function when computing hash values for form parameter and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request.

Affected

Apache Tomcat version before 5.5.35, 6.x to 6.0.34 and 7.x to 7.0.22 on Windows.

References

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
http://www.kb.cert.org/vuls/id/903934
http://www.ocert.org/advisories/ocert-2011-003.html
https://bugzilla.redhat.com/show_bug.cgi?id=750521

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-4858
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P

Related Vulnerabilities

Jetty Cross Site Scripting and Information Disclosure Vulnerabilities
IBM WebSphere Application Server Administration Console DoS vulnerability
iWeb Server URL Directory Traversal Vulnerability
JServ Cross Site Scripting
Apache Tomcat HTTP NIO Denial Of Service Vulnerability (Windows)

Take action and discover your vulnerabilities