[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[jetty-users] POST params, DoS from hash collisions
- From: Justin Cummins <sul3n3t@xxxxxxxxx>
- Date: Thu, 5 Jan 2012 14:34:57 -0800
- Delivered-to: email@example.com
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=VusvIUlgES84Y8H+EGPGtzJocHkvauVaBNUyxW89jC0=; b=Vt2slWNPdTUDI0BZ7KSzbtYwNrysZ4PNPMh7TfXkGMENHdSZ3ujmtX3IlARLcvUqzl 283J/XTkYAKdiL8ibbgiYL6D6NYKhP7ZMPmlaFCoRpTxjjIKzKVfdW6o0CeYETFjaZnG lqL0nydDzzNy0ueqnlfMvmyqmvQ/sAg3gaUGg=
Last week, a widespread denial of service vulnerability was announced wherein the attacker can choose specific strings (or other objects) which all resolve to the same hashtable key. A POST request would be sufficient to trigger the denial of service.
Jetty is listed as one of the vulnerable web servers (among many others) and Oracle, I believe, has stated that they will not release any update. One mitigation is limiting a request size, however, the attack's effect is only reduced.
Is anyone working on a real fix for Jetty by placing request parameters into a different Map structure?