How to Set the MaxRequestParameterCount Value in WebLogic Server to Avoid MaxRequestParameterExceedException
(Doc ID 1505598.1)
Last updated on JUNE 15, 2020
Applies to:Oracle WebLogic Server - Version 10.0 and later
Primavera Unifier Cloud Service - Version 188.8.131.52 to 184.108.40.206 [Release 18.8]
Information in this document applies to any platform.
This document is provided in conjunction with a Security Advisory and Critical Patch Update. A security vulnerability was identified where malicious users could send HTTP requests with so many parameters as to overload the WebLogic Server (WLS) domain. This vulnerability was addressed in the January 2013 CPU. See the security alerts page at http://www.oracle.com/technetwork/topics/security/alerts-086861.html and the January 2013 Patch Availability Document (PAD) at <Note 1502461.1> referring to CVE-2011-5035. This will be cumulative going forward for PSUs and new releases for WebLogic Server.
If this is not set, one may receive errors if exceeding the limit. (see bottom of this document). To support this fix and allow control for application requirements, a new parameter has been set up in WLS: MaxRequestParameterCount.
Setting this value limits the number of parameters allowed in a request, which prevents the system from being overloaded. Following are instructions on how to set this parameter.
- The default value of MaxRequestParameterCount is 10,000. WLST can be used to make the value higher or lower as described below.
- The value "1000" used in the instructions below is just an example, not a recommended or required value.
- Please also note that "parameter" is misspelled as MaxRequestParamterCount in some versions of this fix on WLS 12.1.1 and earlier. This is how the parameter is specified in the source code for WLS 10.0.0 to 12.1.1. This misspelling is fixed in WLS 12.1.2 and higher, where the parameter is specified as MaxRequestParameterCount. <Bug 19356852> is in process to fix this misspelling in the versions which have it.
The MaxRequestParameterCount attribute can be set in two places:
- On the WebServerMBean, which is a child of the ServerMBean and provides settings that have effect only for the server instance to which the WebServerMBean belongs.
- On the VirtualHostMBean. Virtual hosts, like servers, are children of the DomainMBean. Settings on the VirtualHostMBean override corresponding settings on the WebServerMBean.
One must use WLST to set the MaxRequestParameterCount attribute, as shown below. Please note the following:
- <admin_user> represents an administrative user for the target domain.
- <admin_pwd> represents the password for <admin_user>.
- <admin_url> represents the URL to connect to the domain's admin server; e.g., "t3://<host>:<port>" or "t3s://<host>:<port>".
- <domain_name> represents the name of the domain being managed, default, "mydomain".
- <server_name> represents the name of a server being managed, default, "myserver".
- <virtual_host> represents the name of a virtual host being managed, default, "VirtualHost-0".
An application may be reproducing this in different ways. A smaller code sample to reproduce is given in the following document to help test the settings and compare with testing:
<Note 1906952.1> Sample Code to Reproduce MaxRequestParameterExceedException
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document