max-parameters and max-headers attributes do not become effective for AJP listener inside undertow subsystem in EAP 7.0.x
Issue
max-parameters and max-headers attributes for <http-listener> and <ajp-listener> are configured in undertow subsystem. For example:
<http-listener name="default" socket-binding="http" redirect-socket="https" max-parameters="200" max-headers="100" />
<ajp-listener name="ajp" socket-binding="ajp" redirect-socket="https" max-parameters="200" max-headers="100" />
As far as I test, it looks both limit work effectively for HTTP listener but it does not become effective for AJP listener.
If so, we do not have a way to limit these numbers for AJP to prevent hash collision based DOS attacks. Therefore, this can be vulnerability issue?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.0.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
