HashDOS and ColdFusion
Earlier this week at the 28C3 security conference in Berlin researchers presented on a denial of service (DOS) technique that several web application platforms (PHP, ASP.NET, Node.js, Tomcat, Java's HashMap/Hashtable etc) are vulnerable to, known as
The exploit takes advantage of hash collisions in the internal implementation of hashtables / hashmaps (think CFML
struct). When two keys are hashed and result in the same hash code a collision occurrs, and additional processing must take place to store or retrieve the item. Most application servers store request input variable (eg form, url scopes) in such a data structure. If you can construct a request with variable names that all have the same internal hashcode, the request goes from taking less than a second to process to several minutes.
As you can imagine this can cause a server to crawl/crash pretty quickly with a relatively small payload. Microsoft has released an out of band security patch for ASP.NET already. Tomcat has provided a work around in versions 7.0.23 or 6.0.35 and up.
The typical patch / workaround for this issue is to limit the number of input request variables, ASP.NET defaults this limit to 1000, tomcat defaults to 10,000.
Update: - Adobe has released a security hotfix to address this issue on ColdFusion 8 and 9. If you are running CF 6 or 7 you may still be vulnerable to this but Adobe no longer produces security hotfixes for these versions (upgrade to CF 8 or above).
To learn more about the mitigation that Adobe ColdFusion has put into place for HashDOS you can read my follow up post: Understanding HashDos and postParameterLimit.
Like this? Follow me ↯Tweet Follow @pfreitag
HashDOS and ColdFusion was first published on December 30, 2011.
If you like reading about coldfusion, java, tomcat, hashdos, hash, security, or jrun then you might also like:
- OpenSSL and ColdFusion / Lucee / Tomcat
- Spring4Shell and ColdFusion
- Log4j CVE-2021-44228 Log4Shell Vulnerability on ColdFusion / Lucee
- J2EE Sessions in CF10 Uses Secure Cookies
- Understanding HashDos and postParameterLimit
- Using AntiSamy with ColdFusion
- Speaking at ColdFusion Summit Online Next Week
- ColdFusion Security Training Class December 2022
The Fixinator Code Security Scanner for ColdFusion & CFML is an easy to use security tool that every CF developer can use. It can also easily integrate into CI for automatic scanning on every commit.