The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Tomcat, JBoss: denial of service via hash collision

Synthesis of the vulnerability 

An attacker can send data generating storage collisions, in order to overload a service.
Vulnerable software: Tomcat, Debian, Fedora, HPE NNMi, OpenView NNM, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/02/2012.
Références of this computer vulnerability: BID-51200, c03183543, c03231290, c03824583, CERTA-2012-AVI-479, CERTA-2013-AVI-440, CVE-2011-4084-REJECT, CVE-2011-4858, DSA-2401-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-7258, FEDORA-2012-7593, HPSBMU02747, HPSBMU02894, HPSBUX02741, openSUSE-SU-2012:0103-1, RHSA-2012:0041-01, RHSA-2012:0074-01, RHSA-2012:0075-01, RHSA-2012:0076-01, RHSA-2012:0077-01, RHSA-2012:0078-01, RHSA-2012:0089-01, RHSA-2012:0091-01, RHSA-2012:0325-01, RHSA-2012:0406-01, RHSA-2012:0474-01, RHSA-2012:0475-01, RHSA-2012:0679-01, RHSA-2012:0680-01, RHSA-2012:0681-01, RHSA-2012:0682-01, SSRT100728, SSRT100771, VIGILANCE-VUL-11383, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1.

Description of the vulnerability 

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts Tomcat.

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Tomcat were moved here.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability note impacts software or systems such as Tomcat, Debian, Fedora, HPE NNMi, OpenView NNM, HP-UX, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, ESX, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this computer vulnerability announce is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity announce.

Solutions for this threat 

Apache Tomcat: version 7.0.23.
The version 7.0.23 is corrected:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 6.0.35.
The version 6.0.35 is corrected:
  http://tomcat.apache.org/download-60.cgi

Apache Tomcat: version 5.5.35.
The version 5.5.35 is corrected:
  http://tomcat.apache.org/download-55.cgi

Apache Tomcat: workaround for hash collision.
A workaround is to use versions 7.0.23 and 6.0.35, which limit the size of queries via the maxParameterCount parameter, which is set to 10000 by default.
On previous Tomcat versions, the maxPostSize parameter can be set to 20000, however this can disturb legitimate requests of large size.

JBoss Operations Network: version 2.4.2.
The version 2.4.2 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=2.4.2

Debian: new tomcat6 packages.
New packages are available:
  tomcat6 6.0.35-1+squeeze2

Fedora: new tomcat6 packages.
New packages are available:
  tomcat6-6.0.35-1.fc16
  tomcat6-6.0.35-1.fc17

HP NNMi: patch for Tomcat/JBoss.
A patch is available:
  HF-NNMi-9.0xP5-JBoss-20130417
  HF-NNMi-9.1xP5-JBoss-20130417

HP OV NNM: hotfix SSRT100771.
Hotfix SSRT100771 is available.

HP-UX Web Server Suite: version 3.22.
The version 3.22 is corrected:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW322

JBoss Operations Network: version 3.0.1.
The version 3.0.1 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.0.1

openSUSE: new tomcat packages.
New packages are available:
  openSUSE 11.3 : tomcat6-6.0.24-5.16.1
  openSUSE 11.4 : tomcat6-6.0.32-7.12.1

Red Hat JBoss Enterprise Application Platform: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=4.3.0.GA_CP10

Red Hat JBoss Enterprise: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.2.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=securityPatches&version=5.2.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.2.0+GA

RHEL JBoss Enterprise Web Server: new tomcat5 packages.
New packages are available:
  JBoss Enterprise Web Server 1.0 for RHEL 5 Server:
    tomcat5-5.5.33-27_patch_07.ep5.el5
  JBoss Enterprise Web Server 1.0 for RHEL 6 Server:
    tomcat5-5.5.33-28_patch_07.ep5.el6
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

RHEL JBoss Enterprise Web Server: new tomcat6 packages.
New packages are available:
  JBoss Enterprise Web Server 1.0 for RHEL 5 Server:
    tomcat6-6.0.32-24_patch_07.ep5.el5
  JBoss Enterprise Web Server 1.0 for RHEL 6 Server:
    tomcat6-6.0.32-24_patch_07.ep5.el6
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=1.0.2

RHEL: new JBoss Enterprise packages.
New packages are available, as indicated in information sources.

RHEL: new tomcat packages.
New packages are available:
  tomcat5-5.5.23-0jpp.31.el5_8
  tomcat6-6.0.24-36.el6_2

Solaris 10: patch for Oracle Java Web Console.
A patch is available:
  SPARC: 147673-04
  X86: 147674-04

Solaris: patch for Apache Tomcat.
A patch is available:
  Solaris 9 :
    contact support
  Solaris 10
    SPARC: 122911-29
    X86: 122912-29
  Solaris 11 :
    11/11 SRU 4

VMware ESX 4.0: patch ESX400-201209001.
A patch is available:
  ESX400-201209001
  http://kb.vmware.com/kb/2019661

VMware ESX: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://kb.vmware.com/kb/2020362

VMware vCenter Server: version 4.0 Update 4a.
The version 4.0 Update 4a is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_0
  https://www.vmware.com/support/vsphere4/doc/vsp_vc40_u4a_rel_notes.html

VMware vCenter Server: version 4.1 Update 3.
The version 4.1 Update 3 is corrected:
  http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
  https://www.vmware.com/support/vsphere4/doc/vsp_vc41_u3_rel_notes.html
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability patch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.