Btw, which tool are you using to scan for security problems? We should report this to the tool vendor.
txs and LieGrue, strub > Am 02.07.2018 um 08:54 schrieb Mark Struberg <strub...@yahoo.de>: > > Ohh, that's really a false positive :( > > From the CVE-2011-5034: > >> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters >> without restricting > > This only affects the Apache Geronimo Application Server - which is now > retired btw. > And there it affects HTTP post parameter parsing afaict. > > It has nothing to do with the spec jars you listed. Those are really clean. > > > LieGrue, > strub > > >> Am 02.07.2018 um 07:38 schrieb Munna <abhilash.kyat...@gmail.com>: >> >> No, There is no class mentioned in the report. >> >> Report just says as below Apache activeMQ has these jars and this may lead >> to hash collisions. >> >> Apache Geronimo 2.2.1 and earlier computes hash values for form parameters >> without restricting the ability to trigger hash collisions predictably, >> which allows remote attackers to cause a denial of service (CPU consumption) >> by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461. >> >> You can see this in below link : >> https://nvd.nist.gov/vuln/detail/CVE-2011-5034 >> >> Here it says solution as replace latest apache geronimo jar but this part of >> Apache activemq latest version and not using independent jars.How can i fix >> it.? >> >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5034 >> >> >> >> >> >> -- >> Sent from: http://apache-geronimo.328035.n3.nabble.com/Users-f328036.html >