{ "threat_severity" : "Moderate", "public_date" : "2011-12-28T00:00:00Z", "bugzilla" : { "description" : "tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)", "id" : "750521", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=750521" }, "cvss" : { "cvss_base_score" : "5.0", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status" : "verified" }, "details" : [ "Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters." ], "acknowledgement" : "Red Hat would like to thank oCERT for reporting this issue.", "affected_release" : [ { "product_name" : "JBEWP 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "JBEWP 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "JBoss Communications Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0078", "cpe" : "cpe:/a:redhat:jboss_communications_platform:5.1" }, { "product_name" : "JBoss Enterprise BRMS Platform 5.1", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5.1" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2012-04-11T00:00:00Z", "advisory" : "RHSA-2012:0474", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "tomcat5-0:5.5.23-0jpp.31.el5_8" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2012-04-11T00:00:00Z", "advisory" : "RHSA-2012:0475", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "tomcat6-0:6.0.24-36.el6_2" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4.3", "release_date" : "2012-01-19T00:00:00Z", "advisory" : "RHSA-2012:0041", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4.3" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0075", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5.1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat5-0:5.5.33-27_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat5-0:5.5.33-28_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Operations Network 2.4", "release_date" : "2012-02-01T00:00:00Z", "advisory" : "RHSA-2012:0089", "cpe" : "cpe:/a:redhat:jboss_operations_network:2.4" }, { "product_name" : "Red Hat JBoss Operations Network 3.0", "release_date" : "2012-03-20T00:00:00Z", "advisory" : "RHSA-2012:0406", "cpe" : "cpe:/a:redhat:jboss_operations_network:3.0" }, { "product_name" : "Red Hat JBoss Portal 4.3", "release_date" : "2012-02-02T00:00:00Z", "advisory" : "RHSA-2012:0091", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3" }, { "product_name" : "Red Hat JBoss Portal 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2" }, { "product_name" : "Red Hat JBoss SOA Platform 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_soa_platform:5.2" }, { "product_name" : "Red Hat JBoss Web Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0077", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5.1" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0679", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0681", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2011-4858\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-4858" ], "name" : "CVE-2011-4858", "csaw" : false }