what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Open Source CERT Security Advisory 2011.003

Open Source CERT Security Advisory 2011.003
Posted Dec 29, 2011
Authored by Andrea Barisani, Open Source CERT | Site ocert.org

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

tags | advisory
advisories | CVE-2011-4461, CVE-2011-4838, CVE-2011-4885, CVE-2011-4462, CVE-2011-4815
SHA-256 | 0b2b66a010f07afd3a21848f6c4de292e1d20c5873c836998313c0f5f90e9999

Open Source CERT Security Advisory 2011.003

Change Mirror Download

#2011-003 multiple implementations denial-of-service via hash algorithm
collision

Description:

A variety of programming languages suffer from a denial-of-service (DoS)
condition against storage functions of key/value pairs in hash data
structures, the condition can be leveraged by exploiting predictable
collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or
frameworks. In particular, the lack of sufficient limits for the number of
parameters in POST requests in conjunction with the predictable collision
properties in the hashing functions of the underlying languages can render web
applications vulnerable to the DoS condition. The attacker, using specially
crafted HTTP requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server performance,
the amplification effect is considerable and requires little bandwidth and
time on the attacker side.

The condition for predictable collisions in the hashing functions has been
reported for the following language implementations: Java, JRuby, PHP, Python,
Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not
affected by the predictable collision condition since this version includes a
randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the
one reported in 2003 and described in the paper Denial of Service via
Algorithmic Complexity Attacks which affected the Perl language.

The reporters own advisory can be found at
http://www.nruns.com/_downloads/advisory28122011.pdf

Affected version:
Java, all versions
JRuby <= 1.6.5
PHP <= 5.3.8, <= 5.4.0RC3
Python, all versions
Rubinius, all versions
Ruby <= 1.8.7-p356

Apache Geronimo, all versions
Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22
Oracle Glassfish <= 3.1.1
Jetty, all versions
Plone, all versions
Rack, all versions
V8 JavaScript Engine, all versions

Fixed version:
Java, N/A
JRuby >= 1.6.5.1
PHP >= 5.3.9, >= 5.4.0RC4
Python, N/A
Rubinius, N/A
Ruby >= 1.8.7-p357, 1.9.x

Apache Geronimo, N/A
Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23
Oracle Glassfish, N/A (Oracle reports that the issue is fixed in the main codeline and scheduled for a future CPU)
Jetty, N/A
Plone, N/A
Rack, N/A
V8 JavaScript Engine, N/A

Credit: vulnerability report and PoC code received from Alexander Klink
<alexander.klink AT nruns.com> and Julian Waelde <jwaelde AT
cdc.informatik.tu-darmstadt.de>.

CVE: CVE-2011-4461 (Jetty), CVE-2011-4838 (JRuby), CVE-2011-4885 (PHP),
CVE-2011-4462 (Plone), CVE-2011-4815 (Ruby)

Timeline:

2011-09-25: vulnerability report received, reporters set embargo date to December 27th
2011-10-18: contacted maintainers of Apache Tomcat, Apache Geronimo, Jetty, Java, Plone, Zope, V8
2011-11-01: contacted maintainers of Ruby on Rails, Ruby, Python, PHP
2011-11-01: contacted affected distributions
2011-11-02: contacted JRuby maintainer
2011-12-13: contacted Ruby Installer maintainer
2011-12-14: assigned CVE for Ruby
2011-12-15: assigned CVE for JRuby
2011-12-13: contacted Rack maintainer
2011-12-16: assigned CVE for Apache Tomcat
2011-12-21: assigned CVE for PHP
2011-12-28: advisory release

References:
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
http://svn.php.net/viewvc?view=revision&revision=321003 (unstable, not final)
http://svn.php.net/viewvc?view=revision&revision=321040 (unstable, not final)
https://gist.github.com/52bbc6b9cc19ce330829

Permalink:
http://www.ocert.org/advisories/ocert-2011-003.html

--
Andrea Barisani | Founder & Project Coordinator
oCERT | OSS Computer Security Incident Response Team

<lcars@ocert.org> http://www.ocert.org
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"
Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    17 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    20 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close