[jetty-users] POST params, DoS from hash collisions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] POST params, DoS from hash collisions

From: Justin Cummins <sul3n3t@xxxxxxxxx>
Date: Thu, 5 Jan 2012 14:34:57 -0800
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

Last week, a widespread denial of service vulnerability was announced wherein the attacker can choose specific strings (or other objects) which all resolve to the same hashtable key. A POST request would be sufficient to trigger the denial of service.

Jetty is listed as one of the vulnerable web servers (among many others) and Oracle, I believe, has stated that they will not release any update. One mitigation is limiting a request size, however, the attack's effect is only reduced.

Is anyone working on a real fix for Jetty by placing request parameters into a different Map structure?

Follow-Ups:
- Re: [jetty-users] POST params, DoS from hash collisions
  - From: Joakim Erdfelt

Prev by Date: Re: [jetty-users] NPE in MultiPartFilter
Next by Date: Re: [jetty-users] POST params, DoS from hash collisions
Previous by thread: [jetty-users] How to configure Custom Host Name Verifier in Jetty server
Next by thread: Re: [jetty-users] POST params, DoS from hash collisions
Index(es):
- Date
- Thread

Breadcrumbs