14 DAY TRIAL // A couple of researchers found that a critical vulnerability affects most web application frameworks, allowing a cybercriminal to launch denial-of-service (DoS) attacks. Since Apache Tomcat web server is among the ones affected, the Tomcat security team came forward with a workaround for the issue.
Apache Tomcat is vulnerable to the flaw rooted in the Java hashtable implementation because it utilizes a hashtable for storing HTTP request parameters and since Oracle doesn’t plan on fixing the problem in the JRE, Tomcat has implemented a workaround for it.
“Tomcat has implemented a work-around for this issue by providing a new option (maxParameterCount) to limit the number of parameters processed for a single request,” Tomcat’s Mark Thomas said.
“This default limit is 10000: high enough to be unlikely to affect any application; low enough to mitigate the effects of the DoS.”
The workaround is available in variants 7.0.23 and onwards, and 6.0.35 and later.
For users who rely on an earlier version of Apache Tomcat that does not have the maxParameterCount attribute, the issue can be mitigated by limiting the maxPostSize parameter to a few 10’s of kilobytes. This should work well, but in some cases may cause problems for some applications.
Even though the vulnerability is not really in Apache Tomcat, their security team came up with this workaround because the chances for someone to use the flaw to launch a malicious operation are fairly high.
Apache Tomcat customers are advised to immediately implement the workaround and upgrade to the versions in which it’s available to make sure they’re protected against potential attacks.
Zero-day vulnerabilities are always a good opportunity for hackers to step into action and make tons of money from those who fail to deploy the updates in time.
Other web programing languages and applications are also susceptible to a similar DoS attack. Learn how this is possible. Apache Tomcat 7.0.23 / 6.0.35 / 5.5.33 is available for download here.