CVE-2011-4858
published 2012-01-05CVE-2011-4858: Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash…
PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
80.32%
99.6th percentile
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Affected
95 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST <path> HTTP/1.1 with Content-Type: application/x-www-form-urlencoded; charset=utf-8 and large body of hash-colliding parameters↗
- →Detect CVE-2011-4858 exploitation by monitoring for HTTP POST requests with an abnormally large number of form parameters (hash-colliding keys) sent to Java/Tomcat endpoints, causing sustained CPU exhaustion. The attack uses the DJBX31A hash function collision property of Java's Hashtable. ↗
- →Alert on POST requests with Content-Type: application/x-www-form-urlencoded where the body contains thousands of parameters with identical hash values (colliding keys). The PoC generates up to 2MB payloads for Java targets. ↗
- →The Metasploit module generates a random payload to bypass IDS signatures; detection should focus on parameter count anomalies and CPU spike correlation rather than static payload signatures. ↗
- →Monitor Tomcat for requests exceeding the maxParameterCount threshold (default 10000). Requests with parameter counts near or above this limit targeting .jsp endpoints are strong indicators of HashDoS exploitation attempts. ↗
- ·The PoC targets Java's DJBX31A hash function (charrange 0–128) for collision generation; PHP uses DJBX33A (charrange 0–255). Ensure detection logic distinguishes Java/Tomcat targets (typically .jsp paths, default max payload 2MB) from PHP targets (default max 8MB). ↗
- ·CVE-2011-4858 and CVE-2012-0022 share overlapping patches in Tomcat; both involve parameter-handling DoS but via different mechanisms (hash collisions vs. general parameter count inefficiency). Treat them as distinct detections. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2012-02-13·CVSS 5.0
CVE-2011-3375 [MEDIUM] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Tomcat could be made to crash or expose sensitive information if it
received specially crafted network traffic.
It was discovered that Tomcat incorrectly performed certain caching and
recycling operations. A remote attacker could use this flaw to obtain read
access to IP address and HTTP header information in certain cases. This
issue only applied to Ubuntu 11.10. (CVE-2011-3375)
It was discovered that Tomcat computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
A remote attacker could cause a denial of service by sending many crafted
parameters. (CVE-2011-4858)
It was discovered that Tomcat incorrectly handled parameters. A remote
attacker could cause a denial of service by sending reques
Red Hat
tomcat: large number of parameters DoS
vendor_redhat·2012-01-17·CVSS 5.0
CVE-2012-0022 [MEDIUM] tomcat: large number of parameters DoS
tomcat: large number of parameters DoS
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.
Red Hat
tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
vendor_redhat·2011-12-28·CVSS 5.0
CVE-2011-4858 [MEDIUM] tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
GHSA
Improper Input Validation in Apache Tomcat
ghsa·2022-05-14
CVE-2011-4858 [MEDIUM] CWE-20 Improper Input Validation in Apache Tomcat
Improper Input Validation in Apache Tomcat
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
OSV
Improper Input Validation in Apache Tomcat
osv·2022-05-14
CVE-2011-4858 [MEDIUM] Improper Input Validation in Apache Tomcat
Improper Input Validation in Apache Tomcat
Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
OSV
Denial of Service in Apache Tomcat
osv·2022-05-04·CVSS 5.0
CVE-2012-0022 [MEDIUM] Denial of Service in Apache Tomcat
Denial of Service in Apache Tomcat
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.
GHSA
Denial of Service in Apache Tomcat
ghsa·2022-05-04·CVSS 5.0
CVE-2012-0022 [MEDIUM] Denial of Service in Apache Tomcat
Denial of Service in Apache Tomcat
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.
No detection rules found.
Exploit-DB
PHP Hash Table Collision - Denial of Service (PoC)
exploitdb·2012-01-03·CVSS 5.0
CVE-2011-4885 [MEDIUM] PHP Hash Table Collision - Denial of Service (PoC)
PHP Hash Table Collision - Denial of Service (PoC)
---
#!/usr/bin/env python
"""
This script was written by Christian Mehlmauer
https://twitter.com/#!/_FireFart_
Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858
requires Python 2.7
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
-) Take down a PHP server(make 500 requests without waiting for a response):
p
Exploit-DB
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
exploitdb·2006-07-15
CVE-2011-5035 MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
---
#!/usr/bin/php -q -d short_open_tag=on
ipaddress = $ipaddress = getip();
//
// User-agent
//
$this->useragent = $_SERVER['HTTP_USER_AGENT'];
if(strlen($this->useragent) > 100)
{
$this->useragent = substr($this->useragent, 0, 100);
}
//
// Attempt to find a session id in the cookies
//
if($_COOKIE['sid'])
{
$this->sid = addslashes($_COOKIE['sid']);
}
else
{
$this->sid = 0;
}
//
// Attempt to load the session from the database
//
$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
...
injection is blind, but you can ask true-false questions to the database to
retrieve the admin loginkey.
Through that you can build an admin cookie and create a new admin
Metasploit
Hashtable Collisions
metasploit
Hashtable Collisions
Hashtable Collisions
This module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
Bugzilla
CVE-2012-0022 tomcat: large number of parameters DoS
bugzilla·2012-01-20·CVSS 5.0
CVE-2012-0022 [MEDIUM] CVE-2012-0022 tomcat: large number of parameters DoS
CVE-2012-0022 tomcat: large number of parameters DoS
From the upstream advisory [1]:
Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.
Upstream has released 7.0.23, 6.0.35 and 5.5.35 to correct this flaw. Earlier versions of Tomcat may also be affected.
[1] http://seclists.org/bugtraq/2012/Jan/111
Discussion:
As noted in bug #750521, the fixes do overlap wit
Bugzilla
CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
bugzilla·2011-11-01·CVSS 5.0
CVE-2011-4858 [MEDIUM] CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #750533 for details. This issue can be used to mount an efficient denial of service attack against Tomcat application server, that parses HTTP request parameters to a hash table and hence exposes this problem. A remote attack could use that to make Tomcat java process use an excessive amount of CPU time by sending a POST request with large amount of parameters which hash to the same value.
Discussion:
Acknowledgements:
Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the
Bugzilla
CVE-2011-1575 pure-ftpd: command injection during plaintext to TLS session switch
bugzilla·2011-03-08·CVSS 6.8
CVE-2011-1575 [MEDIUM] CVE-2011-1575 pure-ftpd: command injection during plaintext to TLS session switch
CVE-2011-1575 pure-ftpd: command injection during plaintext to TLS session switch
Pure-FTPd has released version 1.0.30 which fixes a STARTTLS flaw similar to Postfix's CVE-2011-0411 [1]. Upgrading is recommended.
References:
[1] http://www.pureftpd.org/project/pure-ftpd/news
Discussion:
Created pure-ftpd tracking bugs for this issue
Affects: fedora-all [bug 683223]
Affects: epel-all [bug 683224]
---
This was assigned the name CVE-2011-1575:
http://permalink.gmane.org/gmane.comp.security.oss.general/4858
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3ehttp://marc.info/?l=bugtraq&m=132871655717248&w=2http://marc.info/?l=bugtraq&m=133294394108746&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://rhn.redhat.com/errata/RHSA-2012-0074.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0075.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0076.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0077.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0078.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0089.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0325.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0406.htmlhttp://secunia.com/advisories/48549http://secunia.com/advisories/48790http://secunia.com/advisories/48791http://secunia.com/advisories/54971http://secunia.com/advisories/55115http://tomcat.apache.org/tomcat-7.0-doc/changelog.htmlhttp://www.debian.org/security/2012/dsa-2401http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.securityfocus.com/bid/51200https://bugzilla.redhat.com/show_bug.cgi?id=750521https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.pyhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886http://mail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106%40apache.org%3ehttp://marc.info/?l=bugtraq&m=132871655717248&w=2http://marc.info/?l=bugtraq&m=133294394108746&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://rhn.redhat.com/errata/RHSA-2012-0074.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0075.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0076.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0077.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0078.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0089.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0325.htmlhttp://rhn.redhat.com/errata/RHSA-2012-0406.htmlhttp://secunia.com/advisories/48549http://secunia.com/advisories/48790http://secunia.com/advisories/48791http://secunia.com/advisories/54971http://secunia.com/advisories/55115http://tomcat.apache.org/tomcat-7.0-doc/changelog.htmlhttp://www.debian.org/security/2012/dsa-2401http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttp://www.securityfocus.com/bid/51200https://bugzilla.redhat.com/show_bug.cgi?id=750521https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.pyhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18886
2012-01-05
Published