Juraj Somorovsky reported that certain XML parsers/servers are affected by the same, or similar, flaw as the hash table collisions CPU usage denial of service. Sending a specially crafted message to an XML service can result in longer processing time, which could lead to a denial of service. It is reported that this attack on XML can be applied on different XML nodes (such as entities, element attributes, namespaces, various elements in the XML security, etc.). sblim is written in Java and makes significant use of arrays.
SourceForge sblim upstream ticket: [1] http://sourceforge.net/tracker/?func=detail&aid=3498482&group_id=128809&atid=712784 Patch against v2.1.3 version: [2] http://sourceforge.net/tracker/download.php?group_id=128809&atid=712784&file_id=437695&aid=3498482 Patch against the HEAD version (picked up by v2.1.12 release): [3] http://sourceforge.net/tracker/download.php?group_id=128809&atid=712784&file_id=438227&aid=3498482
Upstream commit: http://sblim.cvs.sourceforge.net/viewvc/sblim/jsr48-client/src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java?view=log#rev1.7
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0987 https://rhn.redhat.com/errata/RHSA-2012-0987.html
The fix that was applied here is not correct (randomization as used here does not help) and was not actually needed (NODENAME_HASH uses fixed, hard-coded set of strings as HashMap keys): https://sourceforge.net/tracker/index.php?func=detail&aid=3535383&group_id=128809&atid=712784 It seems upstream will eventually revert the fix.