Bug 781606 - (CVE-2012-0840) CVE-2012-0840 apr: hash table collisions CPU usage DoS
CVE-2012-0840 apr: hash table collisions CPU usage DoS
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120105,repor...
: Security
Depends On:
Blocks: hashdos/oCERT-2011-003 782130
  Show dependency treegraph
 
Reported: 2012-01-13 15:34 EST by Vincent Danen
Modified: 2015-08-20 02:35 EDT (History)
5 users (show)

See Also:
Fixed In Version: apr 1.4.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-13 15:34:47 EST
Julian Wälde and Alexander Klink reported a way to degrade performance of the Java Hashtable implementation by filling the hash table with keys with identical hash codes - see bug #770929 for details.

The apr developers are looking at adding randomization [1] to apr to mitigate such attacks.  It is unknown how such attacks may be mounted against applications using libapr, or what the result might be, but the developers are discussing how best to address this.  There is currently no formal patch or commit to apr.

[1] http://www.mail-archive.com/dev%40apr.apache.org/msg24439.html
Comment 2 Tomas Hoger 2012-01-16 04:04:59 EST
(In reply to comment #0)
> There is currently no formal patch or commit to apr.

Patches start to appear upstream:
http://svn.apache.org/viewvc?view=revision&revision=1231605
http://svn.apache.org/viewvc?view=revision&revision=1231858
Comment 8 Bojan Smojver 2012-01-27 17:19:22 EST
The above were reverted. You can try:

http://svn.apache.org/viewvc?view=revision&revision=1236642
Comment 9 Bojan Smojver 2012-01-27 22:01:16 EST
(In reply to comment #8)
> The above were reverted. You can try:
> 
> http://svn.apache.org/viewvc?view=revision&revision=1236642

Actually, I just reverted this as well. It would not be effective.
Comment 10 Bojan Smojver 2012-01-27 22:23:53 EST
New commit:

http://svn.apache.org/viewvc?view=revision&revision=1236970
Comment 11 Bojan Smojver 2012-01-28 10:55:56 EST
Also:

http://svn.apache.org/viewvc?view=revision&revision=1237078
Comment 12 Bojan Smojver 2012-01-29 18:39:41 EST
And:

http://svn.apache.org/viewvc?view=revision&revision=1237507
Comment 13 Vincent Danen 2012-02-08 23:18:10 EST
This was assigned the name CVE-2012-0840:

http://seclists.org/oss-sec/2012/q1/391
Comment 14 Fedora Update System 2012-03-01 04:21:12 EST
apr-1.4.6-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2012-03-01 04:35:17 EST
apr-1.4.6-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Tomas Hoger 2012-05-30 05:29:54 EDT
There have been a post from William A. Rowe Jr. indicating this should have not been called security upstream:

http://thread.gmane.org/gmane.comp.apache.apr.devel/18632/focus=18802

which resulted in:

http://svn.apache.org/viewvc?view=revision&revision=1293697

i.e. CHANGES file now says:

  *) Randomise hashes by providing a seed.
     Assigned CVE-2012-0840, oCERT-2011-003, but not known to be exploitable.
     [Bojan Smojver, Branko Čibej, Ruediger Pluem et al.]

Bojan, Joe, I guess the randomization itself is not planned to be removed despite the above change.
Comment 17 Bojan Smojver 2012-05-30 07:53:43 EDT
(In reply to comment #16)

> Bojan, Joe, I guess the randomization itself is not planned to be removed
> despite the above change.

No, it stays. It is a mitigation approach against a potential problem.
Comment 18 Stefan Cornelius 2013-02-21 04:30:17 EST
Dropping this to low as, reportedly, there is no suitable vector for this to be exploited:
http://www.mail-archive.com/dev%40apr.apache.org/msg24609.html

Statement:

The Red Hat Security Response Team has rated this issue as having moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.