cbcvebase.
CVE-2011-5034
published 2011-12-30

CVE-2011-5034: Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows…

PriorityP357high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
81.16%
99.6th percentile
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Affected

17 ranges
VendorProductVersion rangeFixed in
apachegeronimo<= 2.2.1
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo
apachegeronimo

Detection & IOCsextracted from sources · hover to see the quote

commandPOST <path> HTTP/1.1 with Content-Type: application/x-www-form-urlencoded; charset=utf-8 and large body of hash-colliding parameters
  • Detect hash-collision DoS by monitoring for HTTP POST requests with an abnormally large number of form parameters (all with the same hash value under DJBX31A/Java hash function), causing sustained CPU spikes on the server.
  • Flag HTTP POST requests where Content-Type is application/x-www-form-urlencoded and the Content-Length is unusually large (approaching or exceeding 2 MB for Java targets), as the PoC trims payload to a maximum of 2 MB for Java/Geronimo.
  • The exploit generates a random payload to bypass IDS signatures; detection should focus on statistical anomalies in POST parameter counts and CPU consumption rather than static payload signatures.
  • The PoC targets Apache Geronimo specifically via HTTP POST to JSP endpoints; monitor Geronimo/Tomcat access logs for single-source IPs sending repeated large POST requests to .jsp paths.
  • ·Apache Geronimo versions 2.2.1 and earlier are vulnerable; versions packaged with Red Hat JBoss EAP 6/7, Fuse 7, AMQ Broker 7, and JBoss Web Server 3/5 are confirmed not affected.
  • ·Red Hat OpenStack Platform 13.0's OpenDaylight (ODL) bundles a vulnerable apache-geronimo but Red Hat will not release a fix; deployments should apply compensating controls (e.g., POST body size limits).
  • ·This CVE may overlap with CVE-2011-4461 (Jetty hash collision); ensure deduplication when tracking remediation across affected Java application servers.

CVSS provenance

nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.