Hi all,
In the context of CVE-2023-24998 (performance issues for large numbers
of uploaded parts), I have been wondering about reducing the default
value for maxParameterCount.
The current default for maxParameterCount is 10,000. It was set based on
it being low enough to mitigate CVE-2012-0022 (hash collisions in
parameter names triggering performance issues) while being so high it
was considered extremely unlikely to impact any web application.
The current default is sufficiently low to mitigate CVE-2023-24998.
There isn't any reason I am aware of that means we need to reduce the
default for maxParameterCount. My thinking is more along the lines that
when we last thought about this default in 2012, it was considered from
the perspective of "How high can we set this and still be sure
applications aren't exposed to CVE-2012-0022 or something like it?". If
we consider it from the perspective of "How low can we make this without
breaking many / most / (nearly) all applications?" I think we'll choose
a much lower number.
Another benefit of a lower number is to harden Tomcat in advance against
future vulnerabilities like CVE-2023-24998.
I was wondering about a new default of 1000 or maybe even 500.
This would certainly be for 11.0.x. I think it should be back-ported but
maybe in stages (5000, 3000, 2000, 1000) and/or delayed so it is reduced
in 10.1.x for a few releases before we reduce it in 9.0.x and the a few
more releases before we reduce it in 8.5.x.
Thoughts?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
