CVE-2012-5371
First published: Fri Nov 09 2012(Updated: )
Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby | <=1.9.3 | |
| Ruby | =1.9 | |
| Ruby | =1.9.1 | |
| Ruby | =1.9.2 | |
| Ruby | =1.9.3 | |
| Ruby | =1.9.3-p0 | |
| Ruby | =1.9.3-p125 | |
| Ruby | =1.9.3-p194 | |
| Ruby | =2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://2012.appsec-forum.ch/conferences/#c17
- http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
- http://secunia.com/advisories/51253
- http://securitytracker.com/id?1027747
- http://www.ocert.org/advisories/ocert-2012-001.html
- http://www.osvdb.org/87280
- http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
- http://www.securityfocus.com/bid/56484
- http://www.ubuntu.com/usn/USN-1733-1
- https://bugzilla.redhat.com/show_bug.cgi?id=875236
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79993
- https://www.131002.net/data/talks/appsec12_slides.pdf
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37600
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=875267
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=875268
- http://www.openwall.com/lists/oss-security/2012/11/23/4
- https://rhn.redhat.com/errata/RHSA-2013-0582.html
Frequently Asked Questions
What is the severity of CVE-2012-5371?
CVE-2012-5371 is categorized as a medium severity vulnerability due to its potential to disrupt service via hash collision attacks.
How do I fix CVE-2012-5371?
To mitigate CVE-2012-5371, upgrade Ruby to version 1.9.3-p327 or later, or 2.0 r37575 or later.
What systems are affected by CVE-2012-5371?
CVE-2012-5371 affects Ruby versions prior to 1.9.3-p327 and 2.0 before r37575.
What kind of attacks can CVE-2012-5371 facilitate?
CVE-2012-5371 can facilitate denial of service attacks through CPU resource exhaustion caused by hash flooding.
Is CVE-2012-5371 exploitable remotely?
Yes, CVE-2012-5371 can be exploited remotely by context-dependent attackers using specially crafted input.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5371
- agent/severity
- agent/author
- agent/remedy
- agent/references
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/ruby-lang
- canonical/ruby
- version/ruby/1.9.3
- version/ruby/1.9
- version/ruby/1.9.1
- version/ruby/1.9.2
- version/ruby/1.9.3-p0
- version/ruby/1.9.3-p125
- version/ruby/1.9.3-p194
- version/ruby/2.0