Bugzilla – Bug 727543
VUL-0: CVE-2011-4858: Apache tomcat vulnerable to hash collision attack.
Last modified: 2013-12-10 22:43:07 UTC
Specially crafted parameters of a request could result in getting the same hash value with consumes excessive amounts of resources (CVE-2011-4084) http://tomcat.apache.org/tomcat-7.0-doc/changelog.html http://tomcat.apache.org/tomcat-7.0-doc/changelog.html Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko)
The SWAMPID for this issue is 44791. This issue was rated as important. Please submit fixed packages until 2012-01-11. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
submitted fixed packages factory:99249 12.1: 99250 11.4: 99251 11.3: 99252 sle-11: 17109 sle-10: 17110
This is an autogenerated message for OBS integration: This bug (727543) was mentioned in https://build.opensuse.org/request/show/99249 Factory / tomcat6 https://build.opensuse.org/request/show/99251 11.4 / tomcat6 https://build.opensuse.org/request/show/99252 11.3 / tomcat6
For submits that mention the CVE, we probably need to redo the submits since mitre assigned a different CVE and rejected the old one: ---------------------8<---------------------------- The new CVE mapping for this Apache Tomcat issue is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4858 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4084 (rejected) (MITRE had previously been sent information about test cases and test results that suggested a different mapping. However, yesterday we received updated information about test cases and test results.) - -- CVE assignment team, MITRE CVE Numbering Authority M/S S145 202 Burlington Road, Bedford, MA 01730 USA
(In reply to comment #9) > For submits that mention the CVE, we probably need to redo the submits since > mitre assigned a > different CVE and rejected the old one: Fortunately I did not refer CVE in changes neither in spec file - the patch is named apache-tomcat-parameter-processing-performance.patch and changes have fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack backport upstream changes: ... so no action is needed.
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
This is an autogenerated message for OBS integration: This bug (727543) was mentioned in https://build.opensuse.org/request/show/100728 12.1 / tomcat6
This is an autogenerated message for OBS integration: This bug (727543) was mentioned in https://build.opensuse.org/request/show/101114 Evergreen:11.2 / tomcat6
This is an autogenerated message for OBS integration: This bug (727543) was mentioned in https://build.opensuse.org/request/show/101999 Evergreen:11.2 / tomcat6
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps Products: SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
*** Bug 745056 has been marked as a duplicate of this bug. ***
The SWAMPID for this issue is 46954. This issue was rated as important. Please submit fixed packages until 2012-04-30. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
for the SLES 11 codebase this was fixed with the tomcat6-6.0.18-20.33.1 release, published in February 2012. (as part of the release of tomcat6 into the SLES product channels.)