Lucene search

Veracode Vulnerability DatabaseVERACODE:3117

HistoryDec 15, 2016 - 5:41 a.m.

Denial Of Service (DoS)

2016-12-1505:41:34

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Apache Geronimo is vulnerable to denial of service attacks through resource consumption. This is caused because it computes hash values for form parameters without reliably predicting hash collisions. This allows attackers to cause denial of service attacks by sending multiple parameters designed to have collisions.

CPENameOperatorVersion
geronimo plugins, tomcat :: corele2.2.1
geronimo :: tomcateq1.2-beta
org.apache.geronimo:geronimo-tomcateq1.0
geronimo :: tomcatle1.1.1

Name	Operator	Version
geronimo plugins, tomcat :: core	le	2.2.1
geronimo :: tomcat	eq	1.2-beta
org.apache.geronimo:geronimo-tomcat	eq	1.0
geronimo :: tomcat	le	1.1.1

References

archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

secunia.com/advisories/47412

www.kb.cert.org/vuls/id/903934

www.nruns.com/_downloads/advisory28122011.pdf

www.ocert.org/advisories/ocert-2011-003.html

github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

issues.apache.org/jira/browse/GERONIMO-6253

issues.apache.org/jira/secure/attachment/12524824/GERONIMO-6253.patch

lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e@%3Cjava-dev.axis.apache.org%3E

lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1@%3Cissues.karaf.apache.org%3E

lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c@%3Cissues.karaf.apache.org%3E

lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7@%3Cdev.geronimo.apache.org%3E

lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d@%3Cjava-dev.axis.apache.org%3E

lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2@%3Cissues.karaf.apache.org%3E

lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba@%3Cjava-dev.axis.apache.org%3E

lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e@%3Cdev.geronimo.apache.org%3E

lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f@%3Cdev.geronimo.apache.org%3E

lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518@%3Cissues.karaf.apache.org%3E

lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a@%3Cissues.karaf.apache.org%3E

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Related for VERACODE:3117