CVE-2011-5035 in Fusion Middlewareinfo

Summary

by MITRE

Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/23/2024

This vulnerability affects Oracle Glassfish application servers and related products that process HTTP form parameters through hash-based data structures. The flaw stems from the implementation of hash table operations that fail to properly limit hash collision opportunities during parameter processing, creating a predictable denial of service condition. When attackers submit multiple crafted form parameters designed to generate hash collisions, the server's hash table performance degrades significantly from O(1) to O(n) operations, causing excessive CPU consumption and system unresponsiveness.

The technical root cause involves the hash function implementation used by the server's parameter parsing logic, which does not employ collision-resistant hashing techniques or rate limiting mechanisms. This vulnerability is classified under CWE-327, which addresses the use of weak cryptographic hash functions, and more specifically relates to CWE-400, which covers unspecified denial of service conditions. The vulnerability exists because the hash table implementation lacks proper collision handling or load balancing mechanisms that would prevent attackers from exploiting predictable hash patterns to force quadratic time complexity during hash table operations.

From an operational impact perspective, this vulnerability allows remote attackers to consume excessive CPU resources through carefully crafted HTTP POST requests containing numerous parameters designed to trigger hash collisions. The attack can be executed without authentication and requires minimal resources to generate significant system impact, making it particularly dangerous in production environments where server resources are constrained. The vulnerability affects multiple versions of Oracle Glassfish and related Sun Java System Application Server products, creating widespread exposure across enterprise deployments.

The attack vector enables denial of service through hash collision exploitation, where each malicious parameter causes the server to perform additional hash table operations that scale linearly with the number of collisions. This creates a resource exhaustion condition that can render the application server unresponsive to legitimate requests. The vulnerability demonstrates a classic application-level denial of service pattern that aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion. Organizations should implement parameter validation and rate limiting mechanisms, upgrade to patched versions of affected software, and consider deploying intrusion detection systems to monitor for suspicious parameter patterns that may indicate exploitation attempts.

Reservation

12/29/2011

Disclosure

12/29/2011

Moderation

accepted

Entry

2

Relate

show

CPE

ready

Exploit

Download

EPSS

0.68914

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!