English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsSA47408

Jetty Web Form Hash Collision Denial of Service Vulnerability


Secunia ID

SA47408
CVE-ID

CVE-2011-4461
Release Date

29 Dec 2011
Criticality

Less Critical
Solution Status

Unpatched
Software

Jetty 6.x
Jetty 7.x
Where

From remote
Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.
Description

A vulnerability has been reported in Jetty, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within a hash generation function when hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request.
Solution

Currently there is no known workaround.
Reported by

Alexander Klink, n.runs AG and Julian Wälde, Technische Universität Darmstadt
Original Advisory

n.runs (SA-2011.004):
http://www.nruns.com/_downloads/advisory28122011.pdf

oCERT (#2011-003):
http://www.ocert.org/advisories/ocert-2011-003.html

© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search