Shulou(Shulou.com)06/02 Report--

This article introduces the example analysis of Tomcat and Hashtable collision denial of service vulnerabilities, the content is very detailed, interested friends can refer to, hope to be helpful to you.

You may have heard about vulnerabilities in the implementation of hash tables in Java, but now Tomcat is also affected by this problem because it uses hash tables to store HTTP request parameters. So far, Oracle has not provided a patch for this issue.

To this end, Tomcat implements a workaround, providing a new option, maxParameterCount, to limit the number of requested parameters. The default value of this parameter is 10000, which is sufficient for most applications, and this value is sufficient to bypass the bug of the hash table in JRE.

Currently, this workaround will be implemented in the following versions:

Trunk

7.0.23 onwards

6.0.35 onwards

This method will also be implemented in the upcoming version 5.5.35.

If you are using an earlier version of Tomcat without the maxParameterCount attribute, you can solve this problem by limiting maxPostSize to below 10kb.

Although this is not Tomcat's own bug, the Tomcat security team released the message and informed them of potential problems.

This is the end of the example analysis of Tomcat and Hashtable collision denial of service vulnerabilities. I hope the above can be helpful and learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.