Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as hashdos.

The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.

As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.

The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.

It's not clear yet if this vulnerability is remotely explotable within JRun, or ColdFusion. I did run some tests on a JRun/ColdFusion install and did not replicate the problem, when I tried on Tomcat I did experience the DOS, however it's still very possible that the issue exists on JRun - my tests were certainly not conclusive. If you are running ColdFusion on something other than JRun (such as Tomcat, JBoss which runs on tomcat, etc) make sure to check with your vendor about this issue.

I haven't seen any word from Adobe about this issue yet, but I'll be sure to update this entry and post another if anything becomes public.