CVE-2011-4461
published 2011-12-30CVE-2011-4461: Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows…
PriorityP426medium5.3CVSS 3.0
AVNACLPRNUINSUCNINAL
EPSS
5.04%
91.2th percentile
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Affected
214 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | geronimo | <= 2.2.1 | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| eclipse | jetty | >= 0 < 6.1.26-1ubuntu1 | 6.1.26-1ubuntu1 |
| mortbay | jetty | <= 8.1.0 | — |
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
| mortbay | jetty | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Jetty vulnerability
vendor_ubuntu·2012-04-26
CVE-2011-4461 Jetty vulnerability
Title: Jetty vulnerability
Summary: Jetty could be made to hang or crash if it received specially crafted
network traffic.
It was discovered that Jetty computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
apache-geronimo: hash table collisions CPU usage DoS
vendor_redhat·2011-12-29·CVSS 5.3
CVE-2011-5034 [MEDIUM] CWE-400 apache-geronimo: hash table collisions CPU usage DoS
apache-geronimo: hash table collisions CPU usage DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Statement: apache-geronimo is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However because the flaw is moderate, Red Hat will not be releasing a fix for the ODL package at this time.
Package: geronimo (Red Hat AMQ Broker 7) - Not affected
Package: geronimo (Red Hat Fuse 7) - Not affected
Package: geronimo (Red Hat JBoss A-MQ 6) - Out of support scope
Package: geronimo (Red Hat JBoss Enterprise Application Platform
Red Hat
jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
vendor_redhat·2011-12-28·CVSS 5.3
CVE-2011-4461 [MEDIUM] jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Statement: The Red Hat Security Response Team has rated this issue as having Low security impact for the jetty-eclipse package in Red Hat Enterprise Linux 6. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Package: jetty-eclipse (Red Hat Enterprise Linux 6) - Will not fix
OSV
Improper Input Validation in Jetty
osv·2022-05-14
CVE-2011-4461 [MEDIUM] Improper Input Validation in Jetty
Improper Input Validation in Jetty
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
GHSA
Improper Input Validation in Jetty
ghsa·2022-05-14
CVE-2011-4461 [MEDIUM] CWE-20 Improper Input Validation in Jetty
Improper Input Validation in Jetty
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
GHSA
Apache Geronimo Hash Collisions Cause DoS
ghsa·2022-05-13·CVSS 5.3
CVE-2011-5034 [MEDIUM] CWE-400 Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
OSV
Apache Geronimo Hash Collisions Cause DoS
osv·2022-05-13·CVSS 5.3
CVE-2011-5034 [MEDIUM] Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
OSV
CVE-2011-4461: Jetty 8
osv·2011-12-29·CVSS 5.3
CVE-2011-4461 [MEDIUM] CVE-2011-4461: Jetty 8
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2011-5034 apache-geronimo: hash table collisions CPU usage DoS
bugzilla·2020-06-26·CVSS 5.3
CVE-2011-5034 [MEDIUM] CVE-2011-5034 apache-geronimo: hash table collisions CPU usage DoS
CVE-2011-5034 apache-geronimo: hash table collisions CPU usage DoS
Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Reference:
http://ocert.org/advisories/ocert-2011-003.html
Discussion:
External References:
https://geronimo.apache.org/22x-security-report.html
---
Upstream issue: https://issues.apache.org/jira/browse/GERONIMO-6253
---
This vulnerability is out of security support scope for the following products:
* Red Hat Jboss Fuse 6
* Red Hat JBoss A-MQ 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for mo
Bugzilla
CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
bugzilla·2012-01-14·CVSS 5.3
CVE-2011-4461 [MEDIUM] CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?typ
Bugzilla
CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
bugzilla·2012-01-14·CVSS 5.3
CVE-2011-4461 [MEDIUM] CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
CVE-2011-4461 jetty: hash table collisions CPU usage DoS (oCERT-2011-003)
Julian Wälde and Alexander Klink reported a flaw in the hash function used in
the implementation of Java classes as HashMap and Hashtable, see bug #750533.
A specially-crafted set of keys could trigger hash function collisions, which
degrade dictionary performance by changing hash table operations complexity
from an expected/average O(1) to the worst case O(n). Reporters were able to
find colliding strings efficiently using meet in the middle attack.
A fix for this issue in jetty is available at:
http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01818.html
https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf
Please note that for rhel-6 this flaw affects jetty-eclipse which i
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://marc.info/?l=bugtraq&m=143387688830075&w=2http://secunia.com/advisories/47408http://secunia.com/advisories/48981http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.securitytracker.com/id?1026475http://www.ubuntu.com/usn/USN-1429-1https://exchange.xforce.ibmcloud.com/vulnerabilities/72017https://security.netapp.com/advisory/ntap-20190307-0004/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://marc.info/?l=bugtraq&m=143387688830075&w=2http://secunia.com/advisories/47408http://secunia.com/advisories/48981http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.securitytracker.com/id?1026475http://www.ubuntu.com/usn/USN-1429-1https://exchange.xforce.ibmcloud.com/vulnerabilities/72017https://security.netapp.com/advisory/ntap-20190307-0004/
2011-12-30
Published