Bug 880671 - (CVE-2012-5370) CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)
CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121123,repor...
: Security
Depends On: 880674 881571
Blocks: 875553 880678 883225
  Show dependency treegraph
 
Reported: 2012-11-27 10:04 EST by Jan Lieskovsky
Modified: 2015-07-31 02:55 EDT (History)
8 users (show)

See Also:
Fixed In Version: JRuby 1.7.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 00:14:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to the issue (11.08 KB, patch)
2012-12-10 18:50 EST, Martin Quinson
no flags Details | Diff
Updated version of the patch, picking the main change from upstream (4.78 KB, patch)
2012-12-11 16:07 EST, Martin Quinson
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-11-27 10:04:21 EST
A denial of service flaw was found in the JRuby's Murmur hash function implementation. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings.

As various web application frameworks for Ruby automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Ruby web applications, a remote attacker could use this flaw to make the Ruby interpreter use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value.

A different vulnerability than CVE-2011-4838.

References:
[1] http://www.openwall.com/lists/oss-security/2012/11/23/4
[2] http://www.ocert.org/advisories/ocert-2012-001.html
[3] http://2012.appsec-forum.ch/conferences/#c17
[4] https://www.131002.net/data/talks/appsec12_slides.pdf
[5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
Comment 1 Jan Lieskovsky 2012-11-27 10:16:38 EST
This issue affects the versions of the jruby package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).
Comment 2 Jan Lieskovsky 2012-11-27 10:17:32 EST
Created jruby tracking bugs for this issue

Affects: fedora-all [bug 880674]
Comment 3 Jan Lieskovsky 2012-11-27 10:19:59 EST
Ruby language upstream in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash function / algorithm implementation with the SipHash-2-4 implementation:
  http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
  https://www.131002.net/siphash/
Comment 6 David Jorm 2012-11-29 01:06:18 EST
Fuse Enterprise ESB 7.0.2 ships JRuby 1.6.7 as part of the camel-ruby component, which allows users to define Camel routes in Ruby. JRuby 1.6.7 exposes this flaw, although the default use of JRuby in Fuse Enterprise ESB 7.0.2 does not appear to expose the flaw. If the version of JRuby shipped with Fuse Enterprise ESB 7.0.2 was used to build a custom application, then this flaw could be exposed. A bug has been filed to update JRuby as shipped with Fuse Enterprise ESB once an upstream fix is available:

http://fusesource.com/issues/browse/ENTESB-454
Comment 7 David Jorm 2012-11-29 01:16:26 EST
JBoss Enterprise SOA Platform 5.3.0 ships JRuby 1.6.5.1 as part of the scripting_chain quickstart sample application. JRuby 1.6.5.1 exposes this flaw, although the sample application itself does not appear to expose the flaw. If the version of JRuby shipped with the scripting_chain sample application was used to build a custom application, then this flaw could be exposed. A bug has been filed to update JRuby as shipped with the sample application once an upstream fix is available:

https://issues.jboss.org/browse/JBESB-3884
Comment 9 Martin Quinson 2012-12-10 18:50:35 EST
Created attachment 661196 [details]
patch to the issue

Here is a proposed patch to fix that issue, using SipHash instead of bogus MurmurHash, exactly as it was done in the C version of ruby.
Comment 10 Jan Lieskovsky 2012-12-11 04:17:59 EST
(In reply to comment #9)
> Created attachment 661196 [details]
> patch to the issue
> 
> Here is a proposed patch to fix that issue, using SipHash instead of bogus
> MurmurHash, exactly as it was done in the C version of ruby.

Thank you for that patch proposal, Martin.

Just out-of-curiosity have you checked that with JRuby upstream? (would be great if they would accept it too / first)

Thank you, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 11 Martin Quinson 2012-12-11 08:17:44 EST
(In reply to comment #10)
> Just out-of-curiosity have you checked that with JRuby upstream? (would be
> great if they would accept it too / first)

I just sent the patch to security@jruby.org, will see what they think of it.

Thanks for reminding me. Do you have another idea of how I should/could report it upstream?

Thanks for your time, 
Mt
Comment 12 Jan Lieskovsky 2012-12-11 08:39:32 EST
(In reply to comment #11)
> (In reply to comment #10)
> > Just out-of-curiosity have you checked that with JRuby upstream? (would be
> > great if they would accept it too / first)
> 
> I just sent the patch to security@jruby.org, will see what they think of it.

That would be sufficient. Thank you for doing that.

Regards, Jan.
Comment 13 Martin Quinson 2012-12-11 16:07:01 EST
Created attachment 661686 [details]
Updated version of the patch, picking the main change from upstream

I was told by upstream that they already solved this CVE in the 1.7.1 branch, but not with SipHash (as done in C version) because it's too slow. Instead they used PerlHash. So I updated my patch, and uploaded to debian.

Thanks for the advice of contacting upstream, I should have thought of it myself.

Bye, Mt.
Comment 14 Jan Lieskovsky 2012-12-12 05:56:32 EST
Changelog for 1.7.1 release:
  http://jruby.org/2012/12/03/jruby-1-7-1

and relevant patch:
  https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77
Comment 16 errata-xmlrpc 2012-12-20 22:10:51 EST
This issue has been addressed in following products:

  Fuse ESB Enterprise 7.1.0

Via RHSA-2012:1604 https://rhn.redhat.com/errata/RHSA-2012-1604.html
Comment 17 errata-xmlrpc 2013-02-20 16:44:32 EST
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2013:0533 https://rhn.redhat.com/errata/RHSA-2013-0533.html

Note You need to log in before you can comment on or make changes to this bug.