Jetty 7.4.4: Workaround for CVE-2012-2739 (DoS attack) flaw

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Jetty 7.4.4: Workaround for CVE-2012-2739 (DoS attack) flaw

This post has NOT been accepted by the mailing list yet.
This post was updated on .
Dear Jetty Community,

The CVE-2012-2739 vulnerability is described as follows:
"Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8 before build 39, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."

Attackers might exploit this vulnerability to conduct DoS attack to Java Web Application Servers, specifically, Jetty. This is because Jetty uses Java Hashtable to handle POST data. I searched around for a way to defend such attacks. So far, there are 3 possible ways from Jetty configuration:

1. Limiting maximal number of parameters:
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="maxFormKeys">200</Set>

2. Limiting maximal POST size:
<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Set name="maxFormContentSize">200000</Set>

3. Limiting CPU time to handle request.

It seems [1], [2] offer good solution to defend this attack. Does anyone please tell me your experience in [1], [2] configuration? Are they really best choices to prevent us from DoS attack?
I couldn't see a possible Jetty configuration for [3], anyone here please gives me some hints?

Thanks in advance,