Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2012-0840 apr: hash table collisions CPU usage DoS|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Version:||unspecified||CC:||bojan, jorton, jrusnack, mjc, oliver|
|Fixed In Version:||apr 1.4.6||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||770929, 782130|
Description Vincent Danen 2012-01-13 15:34:47 EST
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #770929 for details. The apr developers are looking at adding randomization  to apr to mitigate such attacks. It is unknown how such attacks may be mounted against applications using libapr, or what the result might be, but the developers are discussing how best to address this. There is currently no formal patch or commit to apr.  http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
Comment 2 Tomas Hoger 2012-01-16 04:04:59 EST
(In reply to comment #0) > There is currently no formal patch or commit to apr. Patches start to appear upstream: http://svn.apache.org/viewvc?view=revision&revision=1231605 http://svn.apache.org/viewvc?view=revision&revision=1231858
Comment 8 Bojan Smojver 2012-01-27 17:19:22 EST
The above were reverted. You can try: http://svn.apache.org/viewvc?view=revision&revision=1236642
Comment 9 Bojan Smojver 2012-01-27 22:01:16 EST
(In reply to comment #8) > The above were reverted. You can try: > > http://svn.apache.org/viewvc?view=revision&revision=1236642 Actually, I just reverted this as well. It would not be effective.
Comment 10 Bojan Smojver 2012-01-27 22:23:53 EST
Comment 11 Bojan Smojver 2012-01-28 10:55:56 EST
Comment 12 Bojan Smojver 2012-01-29 18:39:41 EST
Comment 13 Vincent Danen 2012-02-08 23:18:10 EST
This was assigned the name CVE-2012-0840: http://seclists.org/oss-sec/2012/q1/391
Comment 14 Fedora Update System 2012-03-01 04:21:12 EST
apr-1.4.6-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-03-01 04:35:17 EST
apr-1.4.6-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2012-05-30 05:29:54 EDT
There have been a post from William A. Rowe Jr. indicating this should have not been called security upstream: http://thread.gmane.org/gmane.comp.apache.apr.devel/18632/focus=18802 which resulted in: http://svn.apache.org/viewvc?view=revision&revision=1293697 i.e. CHANGES file now says: *) Randomise hashes by providing a seed. Assigned CVE-2012-0840, oCERT-2011-003, but not known to be exploitable. [Bojan Smojver, Branko Čibej, Ruediger Pluem et al.] Bojan, Joe, I guess the randomization itself is not planned to be removed despite the above change.
Comment 17 Bojan Smojver 2012-05-30 07:53:43 EDT
(In reply to comment #16) > Bojan, Joe, I guess the randomization itself is not planned to be removed > despite the above change. No, it stays. It is a mitigation approach against a potential problem.
Comment 18 Stefan Cornelius 2013-02-21 04:30:17 EST
Dropping this to low as, reportedly, there is no suitable vector for this to be exploited: http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html Statement: The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.