The Apache Tomcat developers are advising users of the 7.0.x, 6.0.x and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35 and 5.5.35. Recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled by Tomcat.
Analysis of the recent hash collision denial-of-service (DoS) vulnerability had allowed the developers to identify "unrelated inefficiencies" which could be exploited by a specially crafted request, causing large amounts of CPU to be consumed. To address the issue, the developers modified the code to efficiently process large numbers of parameters and values.

The link for this article located at H Security is no longer available.