Red Hat Bugzilla – Bug 880705
CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)
Last modified: 2015-09-07 01:47:31 EDT
A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings.
As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value.
A different vulnerability than CVE-2012-2739.
Ruby language upstream (which was also vulnerable to similar issue) in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash implementation with the SipHash-2-4 one (which is not vulnerable to this problem):
This issue affects the version of the java-1.6.0-openjdk package, as shipped with Fedora release of 16. Please schedule an update (once there is final upstream patch available).
This issue affects the versions of the java-1.7.0-openjdk packages, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).
Created java-1.6.0-openjdk tracking bugs for this issue
Affects: fedora-16 [bug 880713]
Created java-1.7.0-openjdk tracking bugs for this issue
Affects: fedora-all [bug 880714]
Bug 750533 tracks the original HashDoS attack variant for Java. Bug 750533, comment 15 points to a discussion of the change that introduced Murmur hash use to mitigate the original hash collisions problem.