Last week, a widespread denial of service vulnerability was announced<http://www.nruns.com/_downloads/advisory28122011.pdf> wherein the attacker can choose specific strings (or other objects) which all resolve to the same hashtable key. A POST request would be sufficient to trigger the denial of service.
Jetty is listed as one of the vulnerable web servers (among many others) and Oracle, I believe, has stated that they will not release any update. One mitigation is limiting a request size, however, the attack's effect is only reduced. Is anyone working on a real fix for Jetty by placing request parameters into a different Map structure?
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
