CVE-2023-28709: Apache Tomcat DOS Vulnerability

CVE-2023-28709 Overview

CVE-2023-28709 is a denial of service vulnerability in Apache Tomcat caused by an incomplete fix for CVE-2023-24998. The flaw affects Apache Tomcat versions 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87. When non-default HTTP connector settings allowed maxParameterCount to be reached through query string parameters, attackers could submit requests that bypassed the limit on uploaded request parts. The weakness is tracked under [CWE-193] (Off-by-one Error) and stems from boundary handling logic missed in the prior patch.

Critical Impact
Remote unauthenticated attackers can trigger resource exhaustion on Tomcat servers using non-default connector configurations, resulting in denial of service.

Affected Products

Apache Tomcat 11.0.0-M2 through 11.0.0-M4, 10.1.5 through 10.1.7, 9.0.71 through 9.0.73, 8.5.85 through 8.5.87
Debian Linux 12.0
NetApp 7-Mode Transition Tool

Discovery Timeline

2023-05-22 - CVE-2023-28709 published to the National Vulnerability Database
2023-05-22 - Apache project announcement posted to the security mailing list
2025-02-13 - Last updated in NVD database

Technical Details for CVE-2023-28709

Vulnerability Analysis

The original fix for CVE-2023-24998 introduced a maxParameterCount limit intended to cap the total number of request parameters parsed by Tomcat. The patch correctly limited parameters parsed from request bodies and multipart uploads, but failed to account for an edge case where the count was reached exactly by query string parameters alone. When the parameter count from the query string equaled maxParameterCount, the server did not enforce the limit on subsequent request parts. Attackers could exploit this off-by-one boundary error by crafting requests that supplied exactly maxParameterCount parameters in the URL query string, then attached arbitrarily large multipart or form-encoded bodies that bypassed the cap. Parsing those additional parameters consumed CPU and memory, enabling denial of service against the application server.

Root Cause

The root cause is an off-by-one logic error [CWE-193] in the parameter count enforcement introduced by the CVE-2023-24998 remediation. The comparison check did not treat the boundary case as exceeding the limit, allowing additional parameter parsing once the threshold was matched exactly by query string entries.

Attack Vector

The vulnerability is exploitable over the network without authentication or user interaction. Exploitation requires the target to use non-default HTTP connector settings that permit the configured maxParameterCount to be reached through query string parameters. An attacker sends a single crafted HTTP request with carefully sized parameter sets to trigger excessive resource consumption. See the Apache Mailing List Discussion for protocol-level details.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.383%.

Detection Methods for CVE-2023-28709

Indicators of Compromise

HTTP requests containing query strings with parameter counts equal to or near the configured maxParameterCount value
Sudden spikes in JVM heap usage or CPU utilization on Tomcat worker threads coinciding with multipart or form-encoded uploads
Repeated client connections from the same source generating large parameter sets across mixed query and body content

Detection Strategies

Monitor Tomcat access logs for unusually long query strings or high parameter counts per request
Correlate inbound request patterns with thread pool saturation alerts from JMX or application performance monitoring
Apply web application firewall rules that flag requests exceeding policy thresholds for query parameter count and total request size

Monitoring Recommendations

Track Tomcat connector metrics such as currentThreadsBusy, requestProcessingTime, and bytesReceived for anomalies
Alert on stack traces referencing parameter parsing methods in org.apache.catalina.connector or org.apache.tomcat.util.http.Parameters
Centralize Tomcat logs and HTTP telemetry in a SIEM to identify burst patterns indicative of denial of service attempts

How to Mitigate CVE-2023-28709

Immediate Actions Required

Upgrade Apache Tomcat to a patched version: 11.0.0-M5 or later, 10.1.8 or later, 9.0.74 or later, or 8.5.88 or later
Review HTTP connector configurations and revert non-default maxParameterCount overrides where feasible
Apply distribution-specific updates from Debian DSA-5521, Gentoo GLSA 202305-37, and the NetApp Security Advisory

Patch Information

The Apache Tomcat project released fixed versions addressing the incomplete remediation. Detailed release notes and patch references are available in the Apache Mailing List Discussion and the Openwall OSS Security Post.

Workarounds

Place a reverse proxy or web application firewall in front of Tomcat to enforce strict request size and parameter count limits before traffic reaches the application server
Restrict the maxParameterCount connector attribute to conservative values matching application requirements
Disable or restrict multipart upload handling on endpoints that do not require it

bash

# Example server.xml connector hardening (Apache Tomcat)
<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxParameterCount="1000"
           maxPostSize="2097152"
           maxHttpHeaderSize="8192"
           connectionTimeout="20000"
           SSLEnabled="true" />