medium
5
CWE
310
Advisory Published
CVE Published
Updated

CVE-2012-5373

First published: Tue Nov 27 2012(Updated: )

A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings. As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value. A different vulnerability than <a href="https://access.redhat.com/security/cve/CVE-2012-2739">CVE-2012-2739</a>. References: [1] <a href="http://www.openwall.com/lists/oss-security/2012/11/23/4">http://www.openwall.com/lists/oss-security/2012/11/23/4</a> [2] <a href="http://www.ocert.org/advisories/ocert-2012-001.html">http://www.ocert.org/advisories/ocert-2012-001.html</a> [3] <a href="http://2012.appsec-forum.ch/conferences/#c17">http://2012.appsec-forum.ch/conferences/#c17</a> [4] <a href="https://www.131002.net/data/talks/appsec12_slides.pdf">https://www.131002.net/data/talks/appsec12_slides.pdf</a> [5] <a href="http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf">http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf</a>

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Oracle JDK 6<=1.7.0
Oracle Java Runtime Environment (JRE)<=1.7.0
OpenJDK 17<=1.7.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2012-5373?

    CVE-2012-5373 is considered a denial of service vulnerability that can significantly impact performance.

  • How do I fix CVE-2012-5373?

    To fix CVE-2012-5373, upgrade to a version of Oracle JDK, JRE, or OpenJDK that is later than 1.7.0.

  • What applications are affected by CVE-2012-5373?

    CVE-2012-5373 affects various Java implementations that utilize the Murmur hash function, including Oracle JDK, JRE, and OpenJDK.

  • What kind of attack does CVE-2012-5373 facilitate?

    CVE-2012-5373 allows an attacker to create specially-crafted keys that can cause hash collisions, leading to denial of service.

  • Is there a known exploit for CVE-2012-5373?

    While there may be theoretical attacks based on the vulnerability, no specific known exploits have been widely published for CVE-2012-5373.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203