CVE-2011-5035 in Fusion Middleware
Summary
by MITRE
Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/23/2024
This vulnerability affects Oracle Glassfish application servers and related products that process HTTP form parameters through hash-based data structures. The flaw stems from the implementation of hash table operations that fail to properly limit hash collision opportunities during parameter processing, creating a predictable denial of service condition. When attackers submit multiple crafted form parameters designed to generate hash collisions, the server's hash table performance degrades significantly from O(1) to O(n) operations, causing excessive CPU consumption and system unresponsiveness.
The technical root cause involves the hash function implementation used by the server's parameter parsing logic, which does not employ collision-resistant hashing techniques or rate limiting mechanisms. This vulnerability is classified under CWE-327, which addresses the use of weak cryptographic hash functions, and more specifically relates to CWE-400, which covers unspecified denial of service conditions. The vulnerability exists because the hash table implementation lacks proper collision handling or load balancing mechanisms that would prevent attackers from exploiting predictable hash patterns to force quadratic time complexity during hash table operations.
From an operational impact perspective, this vulnerability allows remote attackers to consume excessive CPU resources through carefully crafted HTTP POST requests containing numerous parameters designed to trigger hash collisions. The attack can be executed without authentication and requires minimal resources to generate significant system impact, making it particularly dangerous in production environments where server resources are constrained. The vulnerability affects multiple versions of Oracle Glassfish and related Sun Java System Application Server products, creating widespread exposure across enterprise deployments.
The attack vector enables denial of service through hash collision exploitation, where each malicious parameter causes the server to perform additional hash table operations that scale linearly with the number of collisions. This creates a resource exhaustion condition that can render the application server unresponsive to legitimate requests. The vulnerability demonstrates a classic application-level denial of service pattern that aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion. Organizations should implement parameter validation and rate limiting mechanisms, upgrade to patched versions of affected software, and consider deploying intrusion detection systems to monitor for suspicious parameter patterns that may indicate exploitation attempts.