Jetty 7.4.4: Workaround for CVE-2012-2739 (DoS attack) flaw
This post has NOT been accepted by the mailing list yet.
This post was updated on .
Dear Jetty Community,
The CVE-2012-2739 vulnerability is described as follows:
"Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8 before build 39, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
Attackers might exploit this vulnerability to conduct DoS attack to Java Web Application Servers, specifically, Jetty. This is because Jetty uses Java Hashtable to handle POST data. I searched around for a way to defend such attacks. So far, there are 3 possible ways from Jetty configuration:
1. Limiting maximal number of parameters: <Configure class="org.eclipse.jetty.webapp.WebAppContext"> ...
<Set name="maxFormKeys">200</Set> </Configure>
It seems ,  offer good solution to defend this attack. Does anyone please tell me your experience in ,  configuration? Are they really best choices to prevent us from DoS attack?
I couldn't see a possible Jetty configuration for , anyone here please gives me some hints?