Source: cve@mitre.org
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
Oracle GlassFish servers are vulnerable to a denial-of-service (DoS) attack due to a flaw in how they handle form parameters. Attackers can exploit this vulnerability by sending a large number of crafted parameters, causing the server to consume excessive CPU resources and become unresponsive, effectively shutting down critical services.
Step 1: Parameter Crafting: The attacker identifies the target GlassFish server and its exposed form parameters.
Step 2: Collision Generation: The attacker crafts a large number of form parameters designed to collide within the GlassFish hash table. This involves generating parameters that, when hashed by the vulnerable function, produce the same hash value.
Step 3: Payload Delivery: The attacker sends a POST request containing the crafted parameters to a vulnerable endpoint on the GlassFish server.
Step 4: Hash Collision Trigger: The GlassFish server receives the request and begins processing the form parameters. The vulnerable hash function is invoked to store and retrieve these parameters.
Step 5: CPU Exhaustion: Due to the hash collisions, the server spends a significant amount of CPU time comparing the colliding parameters, leading to high CPU utilization.
Step 6: Denial of Service: The server becomes unresponsive to legitimate requests, resulting in a denial-of-service condition.
The vulnerability lies in the implementation of hash functions used to process form parameters within Oracle GlassFish. Specifically, the hash function used to store and retrieve form parameters is susceptible to hash collisions. An attacker can craft a set of parameters that, when hashed, all map to the same bucket within the hash table. This leads to a significant performance degradation as the server spends an excessive amount of time comparing the attacker-supplied parameters. The root cause is the lack of proper collision resistance in the hash function, allowing for predictable collisions. This results in CPU exhaustion and a denial-of-service condition.
While no specific APTs are directly linked to this CVE, the ease of exploitation makes it attractive to various threat actors. This vulnerability could be used as a stepping stone for further attacks. CISA KEV: Not Listed.
High CPU utilization on GlassFish server processes.
Unusually long response times for web requests.
Network traffic analysis showing a large number of POST requests with a high volume of form parameters.
Log analysis of GlassFish server logs for signs of excessive processing or errors related to parameter handling.
Monitoring of application server metrics for sudden spikes in CPU usage or memory consumption.
Upgrade to a patched version of GlassFish or a version that is no longer vulnerable. Check Oracle's security advisories for the latest patches.
Implement a Web Application Firewall (WAF) to filter malicious requests, including those with a large number of parameters.
Limit the number of parameters accepted by web applications.
Monitor server resource usage (CPU, memory, network) and set up alerts for unusual activity.
Review and harden the GlassFish configuration to minimize attack surface.
Implement rate limiting on request processing to mitigate potential DoS attacks.