max-parameters and max-headers attributes do not become effective for AJP listener inside undertow subsystem in EAP 7.0.x
Issue
max-parameters
and max-headers
attributes for <http-listener>
and <ajp-listener>
are configured in undertow subsystem. For example:
<http-listener name="default" socket-binding="http" redirect-socket="https" max-parameters="200" max-headers="100" />
<ajp-listener name="ajp" socket-binding="ajp" redirect-socket="https" max-parameters="200" max-headers="100" />
As far as I test, it looks both limit work effectively for HTTP listener but it does not become effective for AJP listener.
If so, we do not have a way to limit these numbers for AJP to prevent hash collision based DOS attacks. Therefore, this can be vulnerability issue?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.0.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.