[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] POST params, DoS from hash collisions
|
The work to address CVE-2011-4461 was commit'd on Dec 29th, 2011
https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf
The recently released Jetty 7.6.0.RC3 contains this fix.
--
Joakim Erdfelt
(the people behind jetty and cometd)
On Thu, Jan 5, 2012 at 3:34 PM, Justin Cummins
<sul3n3t@xxxxxxxxx> wrote:
Last week, a widespread denial of service vulnerability was announced wherein the attacker can choose specific strings (or other objects) which all resolve to the same hashtable key. A POST request would be sufficient to trigger the denial of service.
Jetty is listed as one of the vulnerable web servers (among many others) and Oracle, I believe, has stated that they will not release any update. One mitigation is limiting a request size, however, the attack's effect is only reduced.
Is anyone working on a real fix for Jetty by placing request parameters into a different Map structure?
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users
