A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings. As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value. A different vulnerability than CVE-2012-2739. References: [1] http://www.openwall.com/lists/oss-security/2012/11/23/4 [2] http://www.ocert.org/advisories/ocert-2012-001.html [3] http://2012.appsec-forum.ch/conferences/#c17 [4] https://www.131002.net/data/talks/appsec12_slides.pdf [5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
Ruby language upstream (which was also vulnerable to similar issue) in version ruby-1.9.3 patchlevel 327 has replaced the Murmur hash implementation with the SipHash-2-4 one (which is not vulnerable to this problem): http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/ https://www.131002.net/siphash/
This issue affects the version of the java-1.6.0-openjdk package, as shipped with Fedora release of 16. Please schedule an update (once there is final upstream patch available). -- This issue affects the versions of the java-1.7.0-openjdk packages, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).
Created java-1.6.0-openjdk tracking bugs for this issue Affects: fedora-16 [bug 880713]
Created java-1.7.0-openjdk tracking bugs for this issue Affects: fedora-all [bug 880714]
Bug 750533 tracks the original HashDoS attack variant for Java. Bug 750533, comment 15 points to a discussion of the change that introduced Murmur hash use to mitigate the original hash collisions problem.