Bug 880705 - (CVE-2012-5373) CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)
CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121123,repor...
: Security
Depends On: 880713 880714
Blocks: 880720
  Show dependency treegraph
 
Reported: 2012-11-27 11:08 EST by Jan Lieskovsky
Modified: 2015-09-07 01:47 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-11-27 11:08:09 EST
A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings.

As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value.

A different vulnerability than CVE-2012-2739.

References:
[1] http://www.openwall.com/lists/oss-security/2012/11/23/4
[2] http://www.ocert.org/advisories/ocert-2012-001.html
[3] http://2012.appsec-forum.ch/conferences/#c17
[4] https://www.131002.net/data/talks/appsec12_slides.pdf
[5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
Comment 1 Jan Lieskovsky 2012-11-27 11:15:43 EST
Ruby language upstream (which was also vulnerable to similar issue) in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash implementation with the SipHash-2-4 one (which is not vulnerable to this problem):
  http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
  https://www.131002.net/siphash/
Comment 2 Jan Lieskovsky 2012-11-27 11:17:57 EST
This issue affects the version of the java-1.6.0-openjdk package, as shipped with Fedora release of 16. Please schedule an update (once there is final upstream patch available).

--

This issue affects the versions of the java-1.7.0-openjdk packages, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).
Comment 3 Jan Lieskovsky 2012-11-27 11:19:12 EST
Created java-1.6.0-openjdk tracking bugs for this issue

Affects: fedora-16 [bug 880713]
Comment 4 Jan Lieskovsky 2012-11-27 11:21:09 EST
Created java-1.7.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 880714]
Comment 5 Tomas Hoger 2012-11-27 11:49:40 EST
Bug 750533 tracks the original HashDoS attack variant for Java.  Bug 750533, comment 15 points to a discussion of the change that introduced Murmur hash use to mitigate the original hash collisions problem.

Note You need to log in before you can comment on or make changes to this bug.