Bug 781606 (CVE-2012-0840)

Summary: CVE-2012-0840 apr: hash table collisions CPU usage DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bojan, jorton, mjc, oliver
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apr 1.4.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:51:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 770929, 782130    

Description Vincent Danen 2012-01-13 20:34:47 UTC 
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #770929 for details.

The apr developers are looking at adding randomization [1] to apr to mitigate such attacks.  It is unknown how such attacks may be mounted against applications using libapr, or what the result might be, but the developers are discussing how best to address this.  There is currently no formal patch or commit to apr.

[1] http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
Comment 2 Tomas Hoger 2012-01-16 09:04:59 UTC 
(In reply to comment #0)
> There is currently no formal patch or commit to apr.

Patches start to appear upstream:
http://svn.apache.org/viewvc?view=revision&revision=1231605
http://svn.apache.org/viewvc?view=revision&revision=1231858
Comment 8 Bojan Smojver 2012-01-27 22:19:22 UTC 
The above were reverted. You can try:

http://svn.apache.org/viewvc?view=revision&revision=1236642
Comment 9 Bojan Smojver 2012-01-28 03:01:16 UTC 
(In reply to comment #8)
> The above were reverted. You can try:
> 
> http://svn.apache.org/viewvc?view=revision&revision=1236642

Actually, I just reverted this as well. It would not be effective.
Comment 10 Bojan Smojver 2012-01-28 03:23:53 UTC 
New commit:

http://svn.apache.org/viewvc?view=revision&revision=1236970
Comment 11 Bojan Smojver 2012-01-28 15:55:56 UTC 
Also:

http://svn.apache.org/viewvc?view=revision&revision=1237078
Comment 12 Bojan Smojver 2012-01-29 23:39:41 UTC 
And:

http://svn.apache.org/viewvc?view=revision&revision=1237507
Comment 13 Vincent Danen 2012-02-09 04:18:10 UTC 
This was assigned the name CVE-2012-0840:

http://seclists.org/oss-sec/2012/q1/391
Comment 14 Fedora Update System 2012-03-01 09:21:12 UTC 
apr-1.4.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-03-01 09:35:17 UTC 
apr-1.4.6-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2012-05-30 09:29:54 UTC 
There have been a post from William A. Rowe Jr. indicating this should have not been called security upstream:

http://thread.gmane.org/gmane.comp.apache.apr.devel/18632/focus=18802

which resulted in:

http://svn.apache.org/viewvc?view=revision&revision=1293697

i.e. CHANGES file now says:

  *) Randomise hashes by providing a seed.
     Assigned CVE-2012-0840, oCERT-2011-003, but not known to be exploitable.
     [Bojan Smojver, Branko Čibej, Ruediger Pluem et al.]

Bojan, Joe, I guess the randomization itself is not planned to be removed despite the above change.
Comment 17 Bojan Smojver 2012-05-30 11:53:43 UTC 
(In reply to comment #16)

> Bojan, Joe, I guess the randomization itself is not planned to be removed
> despite the above change.

No, it stays. It is a mitigation approach against a potential problem.
Comment 18 Stefan Cornelius 2013-02-21 09:30:17 UTC 
Dropping this to low as, reportedly, there is no suitable vector for this to be exploited:
http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html