Bug 880705 (CVE-2012-5373)

Summary: CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, dbhole, dpal, jerboaa, jvanek, lkundrak, mark, mmatejov, omajid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121123,reported=20121123,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhel-5/java-1.6.0-openjdk=new,rhel-6/java-1.6.0-openjdk=new,rhel-6/java-1.7.0-openjdk=new,fedora-16/java-1.6.0-openjdk=affected,fedora-all/java-1.7.0-openjdk=affected,rhel-5/java-1.6.0-sun=new,rhel-6/java-1.6.0-sun=new,rhel-5/java-1.4.2-ibm=new,rhel-5/java-1.5.0-ibm=new,rhel-5/java-1.6.0-ibm=new,rhel-5/java-1.4.2-ibm-sap=new,rhel-6/java-1.5.0-ibm=new,rhel-6/java-1.6.0-ibm=new,rhel-6/java-1.7.0-ibm=new,rhel-6/java-1.4.2-ibm-sap=new
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 880713, 880714    
Bug Blocks: 880720    

Description Jan Lieskovsky 2012-11-27 11:08:09 EST
A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings.

As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value.

A different vulnerability than CVE-2012-2739.

References:
[1] http://www.openwall.com/lists/oss-security/2012/11/23/4
[2] http://www.ocert.org/advisories/ocert-2012-001.html
[3] http://2012.appsec-forum.ch/conferences/#c17
[4] https://www.131002.net/data/talks/appsec12_slides.pdf
[5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
Comment 1 Jan Lieskovsky 2012-11-27 11:15:43 EST
Ruby language upstream (which was also vulnerable to similar issue) in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash implementation with the SipHash-2-4 one (which is not vulnerable to this problem):
  http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
  https://www.131002.net/siphash/
Comment 2 Jan Lieskovsky 2012-11-27 11:17:57 EST
This issue affects the version of the java-1.6.0-openjdk package, as shipped with Fedora release of 16. Please schedule an update (once there is final upstream patch available).

--

This issue affects the versions of the java-1.7.0-openjdk packages, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).
Comment 3 Jan Lieskovsky 2012-11-27 11:19:12 EST
Created java-1.6.0-openjdk tracking bugs for this issue

Affects: fedora-16 [bug 880713]
Comment 4 Jan Lieskovsky 2012-11-27 11:21:09 EST
Created java-1.7.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 880714]
Comment 5 Tomas Hoger 2012-11-27 11:49:40 EST
Bug 750533 tracks the original HashDoS attack variant for Java.  Bug 750533, comment 15 points to a discussion of the change that introduced Murmur hash use to mitigate the original hash collisions problem.