Oracle.Product.Hashing.Collision.DoS

description-logoDescription

GlassFish is an open-source application server project started by Sun Microsystems for the Java EE platform and now sponsored by Oracle Corporation.
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869. (CVE-2011-5035)

affected-products-logoAffected Products

Oracle GlassFish before 3.1.1

Impact logoImpact

The vulnerable system could be compromised and system resource could be interrupted result in a denial of service condition.

recomended-action-logoRecommended Actions

At the time of writing this advisory, there is no security patch provided by the vendor.

Telemetry logoTelemetry

Coverage

IPS (Regular DB)
IPS (Extended DB)