You may have read about a recently announced vulnerability rooted in the Java hashtable implementation [1]. Since Apache Tomcat uses a hashtable for storing HTTP request parameters, it is affected by this issue.
As per [1], it appears that Oracle will not be providing a fix for this vulnerability with in the JRE. Tomcat has implemented a work-around for this issue by providing a new option (maxParameterCount) to limit the number of parameters processed for a single request. This default limit is 10000: high enough to be unlikely to affect any application; low enough to mitigate the effects of the DoS. The work-around is available in: trunk 7.0.23 onwards 6.0.35 onwards The work-around will also be available in 5.5.35 once released. If using an earlier version of Apache Tomcat that does not have the maxParameterCount attribute available, limiting the maxPostSize to a few 10's of kB should also mitigate the issue although it may cause issues for some applications. While this is not viewed as a vulnerability in Apache Tomcat, the Apache Tomcat security team is making this announcement due to the high likelihood that applications will be affected by this issue and to make users aware of the available work-arounds. The Apache Tomcat security team [1] http://www.nruns.com/_downloads/advisory28122011.pdf --------------------------------------------------------------------- To unsubscribe, e-mail: announce-unsubscr...@apache.org For additional commands, e-mail: announce-h...@apache.org
