max-parameters and max-headers attributes do not become effective for AJP listener inside undertow subsystem in EAP 7.0.x

Solution Verified - Updated -

Issue

max-parameters and max-headers attributes for <http-listener> and <ajp-listener> are configured in undertow subsystem. For example:

<http-listener name="default" socket-binding="http" redirect-socket="https" max-parameters="200" max-headers="100" />
<ajp-listener name="ajp" socket-binding="ajp" redirect-socket="https" max-parameters="200" max-headers="100" />

As far as I test, it looks both limit work effectively for HTTP listener but it does not become effective for AJP listener.

If so, we do not have a way to limit these numbers for AJP to prevent hash collision based DOS attacks. Therefore, this can be vulnerability issue?

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.0.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content