Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
Oracle Glassfish servers are vulnerable to a denial-of-service (DoS) attack due to a flaw in how they handle form parameters. Attackers can exploit this vulnerability by sending a large number of specially crafted parameters, leading to excessive CPU consumption and making the server unresponsive, impacting critical services.
Step 1: Payload Generation: The attacker crafts a large number of form parameters. These parameters are designed to collide within the hash function used by Glassfish. This requires knowledge of the hash function or the ability to brute-force or generate collisions. Step 2: Payload Delivery: The attacker sends the crafted parameters to the vulnerable Glassfish server, typically via an HTTP POST request. The request is designed to trigger the vulnerable parameter processing logic. Step 3: Hash Collision Trigger: The server receives the request and begins processing the form parameters. Due to the collision-prone nature of the crafted parameters, the hash function repeatedly calculates hash values for the colliding parameters. Step 4: Resource Exhaustion: The repeated hash calculations consume significant CPU resources on the server. The server becomes overloaded and unable to respond to legitimate requests. Step 5: Denial of Service: The server's performance degrades significantly, leading to a denial of service for legitimate users.
The vulnerability stems from a weakness in the hash function used by Oracle Glassfish to process form parameters. Specifically, the hash function is susceptible to hash collisions. By crafting a set of parameters that generate collisions, an attacker can force the server to perform excessive computations when processing the form data. This leads to high CPU utilization and effectively a DoS. The root cause is the lack of proper collision resistance in the hash function used for form parameter processing, allowing an attacker to predictably generate collisions and exhaust server resources. The specific function or logic flaw is within the parameter processing logic where the hash function is used without proper safeguards against collision attacks.