Release date: 2011-12-29
Updated on: 2011-12-30
Affected Systems:
Jetty 7.x
Jetty 6.x
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51199
Cve id: CVE-2011-4461
Jetty is an open-source servlet container that provides runtime environments for Java-based web content, such as JSP and servlet.
Jetty has an error in the hash generation function when processing hash form posting and updating hash forms. By sending a specially crafted form in an http post request, attackers can exploit this vulnerability to cause hash conflicts, this causes high CPU consumption.
<* Source: Alexander Klink (a.klink@cynops.de)
Link: http://www.ocert.org/advisories/ocert-2011-003.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Jetty
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://jetty.sourceforge.net