880705 – (CVE-2012-5373) CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)

Bug 880705 (CVE-2012-5373) - CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)

Summary: CVE-2012-5373 java: Murmur hash function collisions (oCERT-2012-001)

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-5373
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	880713 880714
Blocks:	880720
TreeView+	depends on / blocked

Reported:	2012-11-27 16:08 UTC by Jan Lieskovsky
Modified:	2021-10-19 21:57 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-19 21:57:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jan Lieskovsky 2012-11-27 16:08:09 UTC

A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings.

As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value.

A different vulnerability than CVE-2012-2739.

References:
[1] http://www.openwall.com/lists/oss-security/2012/11/23/4
[2] http://www.ocert.org/advisories/ocert-2012-001.html
[3] http://2012.appsec-forum.ch/conferences/#c17
[4] https://www.131002.net/data/talks/appsec12_slides.pdf
[5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf

Comment 1 Jan Lieskovsky 2012-11-27 16:15:43 UTC

Ruby language upstream (which was also vulnerable to similar issue) in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash implementation with the SipHash-2-4 one (which is not vulnerable to this problem):
  http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
  https://www.131002.net/siphash/

Comment 2 Jan Lieskovsky 2012-11-27 16:17:57 UTC

This issue affects the version of the java-1.6.0-openjdk package, as shipped with Fedora release of 16. Please schedule an update (once there is final upstream patch available).

--

This issue affects the versions of the java-1.7.0-openjdk packages, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).

Comment 3 Jan Lieskovsky 2012-11-27 16:19:12 UTC

Created java-1.6.0-openjdk tracking bugs for this issue

Affects: fedora-16 [bug 880713]

Comment 4 Jan Lieskovsky 2012-11-27 16:21:09 UTC

Created java-1.7.0-openjdk tracking bugs for this issue

Affects: fedora-all [bug 880714]

Comment 5 Tomas Hoger 2012-11-27 16:49:40 UTC

Bug 750533 tracks the original HashDoS attack variant for Java.  Bug 750533, comment 15 points to a discussion of the change that introduced Murmur hash use to mitigate the original hash collisions problem.

Note You need to log in before you can comment on or make changes to this bug.