CVE-2011-4858 — Improper Input Validation in Apache Tomcat

Description

Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

How to fix CVE-2011-4858

To remediate CVE-2011-4858, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 5.5.35 or later

Is CVE-2011-4858 being exploited?

Likely — EPSS is 76.6%, placing CVE-2011-4858 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 5.5.0, < 5.5.35

References (17)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-4858
PATCHgithub.com/apache/tomcat
WEBmail-archives.apache.org/mod_mbox/tomcat-announce/201112.mbox/%3c4EFB9800.5010106@apache.org%3e
WEBmarc.info/?l=bugtraq&m=132871655717248&w=2