Multiple programming languages and frameworks Hash Table collision denial of service vulnerability

Last Update Date: 30 Dec 2011 18:10 Release Date: 30 Dec 2011 5657 Views

RISK: High Risk

High Risk

TYPE: Servers - Internet App Servers

TYPE: Internet App Servers

A vulnerability has been identified in multiple web programming languages and frameworks, which can be exploited by malicious people to cause a DoS (Denial of Service).
 

A variety of programming languages and platforms suffered from a Denial of Service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

If the programming languages and frameworks are lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

Impact

  • Denial of Service

System / Technologies affected

  • Apache Geronimo - all versions
  • Apache Tomcat 5.5.34 and prior, 6.0.34 and prior, 7.0.22 and prior
  • Java - all versions
  • Jetty - all versions
  • JRuby 1.6.5 and prior
  • Microsoft ASP .NET - all versions
  • Oracle Glassfish 3.1.1 and prior
  • PHP 5.3.8 and prior, 5.4.0RC3 and prior
  • Plone - all versions
  • Python - all versions
  • Rack - all versions
  • Rubinius - all versions
  • Ruby 1.8.7-p356 and prior
  • V8 JavaScript Engine - all versions

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Apache Geronimo - No patch available yet.
  • Apache Tomcat Update to version 5.5.35 or 6.0.35 or  7.0.23
  • Java - No patch available yet.
  • Jetty - No patch available yet.
  • JRuby - Update to version 1.6.5.1
  • Microsoft ASP .NET - Update to fixed version provided in MS11-100
  • Oracle Glassfish - No patch available yet. (Oracle reports that the issue is fixed in the main codeline and scheduled for a future CPU)
  • Plone - No patch available yet.
  • Python - No patch available yet.
  • PHP - Update to version 5.3.9 or 5.4.0RC4
  • Rack - No patch available yet.
  • Rubinius - No patch available yet.
  • Ruby - Update to version  1.8.7-p357 or 1.9.x
  • V8 JavaScript Engine - No patch available yet.

 

For those programming languages and frameworks do not have patch yet, please consider to apply the following workaround:

  • Limiting CPU time
    Limiting the processing time for a single request can help minimize the impact of malicious requests.
  • Limiting maximal POST size
    Limiting the maximum POST request size can reduce the number of possible predictable collisions, thus reducing the impact of an attack.
  • Limiting maximal number of parameters
    Some servers offer the option to limit the number of parameters per request, which can also minimize impact

Vulnerability Identifier

Source

Related Link

Share with

Previous

Microsoft ASP .NET Framework Multiple Vulnerabilities

30 Dec 2011 5650 Views

Next

MIT Kerberos krb5 Telnet Daemon and Client Buffer Overflow Vulnerability

4 Jan 2012 5668 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY