Home » Featured, Glassfish, Java, Security

Glassfish 3.1.1 workaround for Denial of Service through hash table multi-collisions

5 January 2012 No Comment

This is an old bug, first discovered in 2003, but now was applied to the hash table functions from the new programming languages. The main idea behind this bug is to create hashes which collide, because collision will eat a lot more cpu cycles on your server. For a post of 2 MB is resulting in a 44 minutes of CPU time which will results in a DOS.

As suggested in advisory released by nruns.com we can limit the maximum post size from several 10’s of KB. In Glassfish 3.1.1 the maximum post size is 2 MB and the setting can be changed from here: Configurations -> [configuration name] -> Network Config -> Network Listener -> http-listener-[12] -> HTTP.

The other suggestions made by nruns cannot be applied to Glassfish (Limiting Cpu Time, Limiting maximal number of parameters)

Advisory:

http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.cvedetails.com/cve/CVE-2011-5035/

Detailed explanation of Hash table collisions:

http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
http://nikic.github.com/2011/12/28/Supercolliding-a-PHP-array.html


Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.