Bug 750533 (CVE-2012-2739)
| Summary: | CVE-2012-2739 java: hash table collisions CPU usage DoS (oCERT-2011-003) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahughes, aph, dbhole, jvanek, mjc, pahan, security-response-team, wnefal+redhatbugzilla |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-09 16:57:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 750536, 770929 | ||
|
Description
Jan Lieskovsky
2011-11-01 14:13:47 UTC
Acknowledgements: Red Hat would like to thank oCERT for reporting this issue. oCERT acknowledges Julian Wälde and Alexander Klink as the original reporters. This issue was presented on 28C3: http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html Details were posted to full-disclosure: http://seclists.org/fulldisclosure/2011/Dec/477 oCERT advisory: http://www.ocert.org/advisories/ocert-2011-003.html n.runs advisory (copy of the full-disclosure post): http://www.nruns.com/_downloads/advisory28122011.pdf 28C3 slides and recording: http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf http://www.youtube.com/28c3#p/u/22/R2Cq3CLI6H8 Another good write-up of the issue: http://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/ Upstream does not believe this issue should be addressed in Java language itself, and rather needs to be addressed in affected applications. 28C3 slides quote following Oracle Security Team statement: As for Java itself, it does not seem like there is anything that would require a change in Java hashmap implementation. Hence there's currently no plan to address this issue in Java JREs. The issue is going to be addressed in application servers such as Tomcat and JBossWeb (bug #750521), and Glassfish (Oracle bug S0104869). (In reply to comment #12) > Upstream does not believe this issue should be addressed in Java language > itself, and rather needs to be addressed in affected applications. 28C3 > slides quote following Oracle Security Team statement: > > As for Java itself, it does not seem like there is anything that would > require a change in Java hashmap implementation. > > Hence there's currently no plan to address this issue in Java JREs. It seems there is actually going to be a fix for this in Java 7 and Java 8: http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html Statement: This flaw affects various versions of Java as shipped with Red Hat products. A patch is available for Java 7 and Java 8, but not for previous versions of Java shipped with Red Hat products. Although no patch is available for previous versions of Java as shipped with Red Hat products, the impact of this flaw has been addressed in several components that utilize Java HashMap in such a way that may expose a denial of service flaw. Other related reference: http://armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html |