CVE-2023-28709 – This vulnerability allows attackers to bypass r... (How to Fix)

Q: What is the severity of CVE-2023-28709?

CVE-2023-28709 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to bypass request size limits in Apache Tomcat by submitting exactly maxParameterCount query parameters, potentially causing denial of service. It affects Tomcat versions 11.0.0-M2 to M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87. Only systems with non-default HTTP connector configurations that enable maxParameterCount are vulnerable.

📋 TL;DR

This vulnerability allows attackers to bypass request size limits in Apache Tomcat by submitting exactly maxParameterCount query parameters, potentially causing denial of service. It affects Tomcat versions 11.0.0-M2 to M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, and 8.5.85 to 8.5.87. Only systems with non-default HTTP connector configurations that enable maxParameterCount are vulnerable.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73, 8.5.85 to 8.5.87

Operating Systems: All operating systems running affected Tomcat versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using non-default HTTP connector settings with maxParameterCount configured and reachable via query parameters.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service rendering Tomcat instances unavailable, potentially affecting multiple applications hosted on the server.

🟠

Likely Case

Degraded performance or temporary service disruption due to resource exhaustion from bypassed upload limits.

🟢

If Mitigated

Minimal impact with proper request filtering, rate limiting, and monitoring in place.

🌐 Internet-Facing: MEDIUM - Requires specific non-default configuration and precise parameter count, but internet-facing systems are more exposed to exploitation attempts.

🏢 Internal Only: LOW - Internal systems typically have more controlled access and less exposure to malicious requests.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of specific non-default configuration and ability to send requests with exact parameter count matching maxParameterCount.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Tomcat 11.0.0-M5, 10.1.8, 9.0.74, 8.5.88

Vendor Advisory: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Restart Required: Yes

Instructions:

1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.

🔧 Temporary Workarounds

Disable maxParameterCount

all

Remove or increase maxParameterCount setting in server.xml to prevent reaching the limit.

Edit $CATALINA_HOME/conf/server.xml and remove or modify maxParameterCount attribute from Connector configuration

Implement request filtering

all

Use web application filters or reverse proxy to limit query parameter counts before reaching Tomcat.

🧯 If You Can't Patch

Implement strict rate limiting and request size validation at network perimeter
Monitor for unusual parameter counts in web server logs and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and server.xml configuration for maxParameterCount setting in vulnerable version ranges.

Check Version:

java -cp $CATALINA_HOME/lib/catalina.jar org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Verify Tomcat version is patched (11.0.0-M5+, 10.1.8+, 9.0.74+, 8.5.88+) and test with parameter-heavy requests.

📡 Detection & Monitoring

Log Indicators:

Requests with unusually high number of query parameters
Error logs showing parameter limit bypass attempts

Network Indicators:

HTTP requests with exactly configured maxParameterCount query parameters
Sudden increase in large POST/PUT requests

SIEM Query:

source="tomcat_access.log" | where parameter_count >= [configured_maxParameterCount]

📊 Metadata

CVE ID: CVE-2023-28709

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-193

Published: May 22, 2023

Last Updated: February 13, 2025

🔗 References

http://www.openwall.com/lists/oss-security/2023/05/22/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j Mailing List,Vendor Advisory
https://security.gentoo.org/glsa/202305-37 Third Party Advisory
https://security.netapp.com/advisory/ntap-20230616-0004/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5521 Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/05/22/1 Mailing List,Third Party Advisory
https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j Mailing List,Vendor Advisory
https://security.gentoo.org/glsa/202305-37 Third Party Advisory
https://security.netapp.com/advisory/ntap-20230616-0004/ Third Party Advisory
https://www.debian.org/security/2023/dsa-5521 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28709, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

7 Mode Transition Tool by Netapp

Debian Linux by Debian

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable maxParameterCount

Implement request filtering

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities