CVE-2011-5034
published 2011-12-30CVE-2011-5034: Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows…
PriorityP357high7.8CVSS 2.0
AVNACLAuNCNINAC
EXPLOIT
EPSS
81.16%
99.6th percentile
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | geronimo | <= 2.2.1 | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
| apache | geronimo | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST <path> HTTP/1.1 with Content-Type: application/x-www-form-urlencoded; charset=utf-8 and large body of hash-colliding parameters↗
- →Detect hash-collision DoS by monitoring for HTTP POST requests with an abnormally large number of form parameters (all with the same hash value under DJBX31A/Java hash function), causing sustained CPU spikes on the server. ↗
- →Flag HTTP POST requests where Content-Type is application/x-www-form-urlencoded and the Content-Length is unusually large (approaching or exceeding 2 MB for Java targets), as the PoC trims payload to a maximum of 2 MB for Java/Geronimo. ↗
- →The exploit generates a random payload to bypass IDS signatures; detection should focus on statistical anomalies in POST parameter counts and CPU consumption rather than static payload signatures. ↗
- →The PoC targets Apache Geronimo specifically via HTTP POST to JSP endpoints; monitor Geronimo/Tomcat access logs for single-source IPs sending repeated large POST requests to .jsp paths. ↗
- ·Apache Geronimo versions 2.2.1 and earlier are vulnerable; versions packaged with Red Hat JBoss EAP 6/7, Fuse 7, AMQ Broker 7, and JBoss Web Server 3/5 are confirmed not affected. ↗
- ·Red Hat OpenStack Platform 13.0's OpenDaylight (ODL) bundles a vulnerable apache-geronimo but Red Hat will not release a fix; deployments should apply compensating controls (e.g., POST body size limits). ↗
- ·This CVE may overlap with CVE-2011-4461 (Jetty hash collision); ensure deduplication when tracking remediation across affected Java application servers. ↗
CVSS provenance
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
apache-geronimo: hash table collisions CPU usage DoS
vendor_redhat·2011-12-29·CVSS 5.3
CVE-2011-5034 [MEDIUM] CWE-400 apache-geronimo: hash table collisions CPU usage DoS
apache-geronimo: hash table collisions CPU usage DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
Statement: apache-geronimo is packaged with Red Hat OpenStack Platform 13.0's OpenDaylight (ODL). However because the flaw is moderate, Red Hat will not be releasing a fix for the ODL package at this time.
Package: geronimo (Red Hat AMQ Broker 7) - Not affected
Package: geronimo (Red Hat Fuse 7) - Not affected
Package: geronimo (Red Hat JBoss A-MQ 6) - Out of support scope
Package: geronimo (Red Hat JBoss Enterprise Application Platform
GHSA
Apache Geronimo Hash Collisions Cause DoS
ghsa·2022-05-13·CVSS 5.3
CVE-2011-5034 [MEDIUM] CWE-400 Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
OSV
Apache Geronimo Hash Collisions Cause DoS
osv·2022-05-13·CVSS 5.3
CVE-2011-5034 [MEDIUM] Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo Hash Collisions Cause DoS
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.
No detection rules found.
Exploit-DB
PHP Hash Table Collision - Denial of Service (PoC)
exploitdb·2012-01-03·CVSS 5.0
CVE-2011-4885 [MEDIUM] PHP Hash Table Collision - Denial of Service (PoC)
PHP Hash Table Collision - Denial of Service (PoC)
---
#!/usr/bin/env python
"""
This script was written by Christian Mehlmauer
https://twitter.com/#!/_FireFart_
Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858
requires Python 2.7
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
-) Take down a PHP server(make 500 requests without waiting for a response):
p
Exploit-DB
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
exploitdb·2006-07-15
CVE-2011-5035 MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection
---
#!/usr/bin/php -q -d short_open_tag=on
ipaddress = $ipaddress = getip();
//
// User-agent
//
$this->useragent = $_SERVER['HTTP_USER_AGENT'];
if(strlen($this->useragent) > 100)
{
$this->useragent = substr($this->useragent, 0, 100);
}
//
// Attempt to find a session id in the cookies
//
if($_COOKIE['sid'])
{
$this->sid = addslashes($_COOKIE['sid']);
}
else
{
$this->sid = 0;
}
//
// Attempt to load the session from the database
//
$query = $db->query("SELECT sid,uid FROM ".TABLE_PREFIX."sessions WHERE sid='".$this->sid."' AND ip='".$this->ipaddress."'");
...
injection is blind, but you can ask true-false questions to the database to
retrieve the admin loginkey.
Through that you can build an admin cookie and create a new admin
Metasploit
Hashtable Collisions
metasploit
Hashtable Collisions
Hashtable Collisions
This module uses a denial-of-service (DoS) condition appearing in a variety of programming languages. This vulnerability occurs when storing multiple values in a hash table and all values have the same hash value. This can cause a web server parsing the POST parameters issued with a request into a hash table to consume hours of CPU with a single HTTP request. Currently, only the hash functions for PHP and Java are implemented. This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo. It also generates a random payload to bypass some IDS signatures.
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://secunia.com/advisories/47412http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttps://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.pyhttps://lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a%40%3Cissues.karaf.apache.org%3Ehttp://archives.neohapsis.com/archives/bugtraq/2011-12/0181.htmlhttp://secunia.com/advisories/47412http://www.kb.cert.org/vuls/id/903934http://www.nruns.com/_downloads/advisory28122011.pdfhttp://www.ocert.org/advisories/ocert-2011-003.htmlhttps://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.pyhttps://lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba%40%3Cjava-dev.axis.apache.org%3Ehttps://lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f%40%3Cdev.geronimo.apache.org%3Ehttps://lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a%40%3Cissues.karaf.apache.org%3E
2011-12-30
Published