CVE-2023-28709 Overview
CVE-2023-28709 is a Denial of Service vulnerability in Apache Tomcat resulting from an incomplete fix for the previously disclosed CVE-2023-24998. When non-default HTTP connector settings are configured such that the maxParameterCount limit can be reached using query string parameters, an attacker can submit a request with exactly maxParameterCount parameters in the query string. This allows the limit for uploaded request parts to be bypassed, potentially causing a denial of service condition on the affected server.
Critical Impact
Attackers can bypass upload limits to trigger resource exhaustion and denial of service on Apache Tomcat servers with non-default HTTP connector configurations.
Affected Products
- Apache Tomcat 11.0.0-M2 to 11.0.0-M4
- Apache Tomcat 10.1.5 to 10.1.7
- Apache Tomcat 9.0.71 to 9.0.73
- Apache Tomcat 8.5.85 to 8.5.87
- Debian Linux 12.0
- NetApp 7-Mode Transition Tool
Discovery Timeline
- 2023-05-22 - CVE-2023-28709 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2023-28709
Vulnerability Analysis
This vulnerability represents an incomplete patch for the earlier CVE-2023-24998. The original fix attempted to address an issue with request part limits, but failed to account for edge cases involving the maxParameterCount configuration. When a Tomcat server is configured with non-default HTTP connector settings, an attacker can craft requests that precisely hit the maxParameterCount threshold through query string parameters while simultaneously uploading request parts that exceed intended limits.
The issue is classified under CWE-193 (Off-by-one Error), indicating a boundary condition flaw in the parameter counting logic. The vulnerability allows remote attackers to consume excessive server resources without authentication, potentially rendering the application unavailable to legitimate users.
Root Cause
The root cause is an off-by-one error in the parameter counting logic introduced by the fix for CVE-2023-24998. When the number of query string parameters exactly equals maxParameterCount, the validation logic for uploaded request parts fails to enforce the configured limits properly. This boundary condition error allows attackers to bypass the intended request part restrictions.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker exploits this vulnerability by:
- Identifying a Tomcat server with non-default HTTP connector settings where maxParameterCount is reachable via query string parameters
- Crafting a malicious HTTP request containing exactly maxParameterCount parameters in the query string
- Including additional uploaded request parts that exceed normal limits
- Submitting repeated requests to exhaust server resources
The vulnerability manifests in the HTTP connector's parameter parsing logic. When the query string parameter count reaches the exact threshold, the uploaded request parts limit check is bypassed, allowing an attacker to submit unbounded multipart content. For detailed technical analysis, refer to the Apache Mailing List Security Thread.
Detection Methods for CVE-2023-28709
Indicators of Compromise
- Abnormally large HTTP requests with extensive query string parameters combined with multipart uploads
- Server resource exhaustion events correlated with specific HTTP requests
- Tomcat access logs showing requests with parameter counts at or near maxParameterCount limits
- Increased memory consumption or thread pool exhaustion in Tomcat instances
Detection Strategies
- Monitor HTTP request sizes and parameter counts in web application firewall (WAF) logs
- Configure alerting for requests that approach configured maxParameterCount thresholds
- Implement rate limiting for multipart form submissions to detect abuse patterns
- Deploy SentinelOne Singularity to detect anomalous process behavior and resource consumption patterns on Tomcat servers
Monitoring Recommendations
- Enable detailed access logging in Tomcat to capture query string parameter counts
- Monitor JVM heap usage and garbage collection patterns for signs of memory exhaustion
- Track HTTP connector thread pool utilization for unusual spikes
- Set up alerts for HTTP 503 or 500 errors that may indicate DoS conditions
How to Mitigate CVE-2023-28709
Immediate Actions Required
- Upgrade Apache Tomcat to patched versions: 11.0.0-M5+, 10.1.8+, 9.0.74+, or 8.5.88+
- Review and restrict maxParameterCount settings if non-default values are in use
- Implement request size limits at the load balancer or reverse proxy level
- Deploy web application firewall rules to limit query string parameter counts
Patch Information
Apache has released fixed versions that address this incomplete patch issue. Organizations should upgrade to the following minimum versions:
- Apache Tomcat 11.0.0-M5 or later
- Apache Tomcat 10.1.8 or later
- Apache Tomcat 9.0.74 or later
- Apache Tomcat 8.5.88 or later
Additional security advisories are available from Debian DSA-5521, Gentoo GLSA-202305-37, and NetApp Security Advisory NTAP-20230616-0004.
Workarounds
- Revert to default HTTP connector settings if non-default maxParameterCount values are not strictly required
- Implement request filtering at the reverse proxy to limit query string length and parameter count
- Configure connection limits and request timeouts to mitigate resource exhaustion impact
- Use a web application firewall to block requests with excessive parameters
# Example Tomcat server.xml configuration to limit parameters
# Set maxParameterCount to a reasonable value in the Connector element
# <Connector port="8080" protocol="HTTP/1.1"
# maxParameterCount="1000"
# connectionTimeout="20000"
# redirectPort="8443" />
# Verify current Tomcat version
catalina.sh version
# After upgrading, restart Tomcat service
systemctl restart tomcat
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
