CVE-2012-5373
First published: Tue Nov 27 2012(Updated: )
A denial of service flaw was found in the Murmur hash function implementation, as being used by various Java implementations. A specially-crafted set of keys could trigger Murmur hash function collisions, which degrade hash table items insert performance by changing hash table operations complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find colliding strings efficiently using equivalent substrings. As various web application frameworks for Java automatically pre-fill certain arrays with data from the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by sending a POST request with a large number parameters which hash to the same value. A different vulnerability than <a href="https://access.redhat.com/security/cve/CVE-2012-2739">CVE-2012-2739</a>. References: [1] <a href="http://www.openwall.com/lists/oss-security/2012/11/23/4">http://www.openwall.com/lists/oss-security/2012/11/23/4</a> [2] <a href="http://www.ocert.org/advisories/ocert-2012-001.html">http://www.ocert.org/advisories/ocert-2012-001.html</a> [3] <a href="http://2012.appsec-forum.ch/conferences/#c17">http://2012.appsec-forum.ch/conferences/#c17</a> [4] <a href="https://www.131002.net/data/talks/appsec12_slides.pdf">https://www.131002.net/data/talks/appsec12_slides.pdf</a> [5] <a href="http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf">http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | <=1.7.0 | |
| Oracle JRE | <=1.7.0 | |
| Oracle OpenJDK | <=1.7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2012-2739
- http://www.openwall.com/lists/oss-security/2012/11/23/4
- http://www.ocert.org/advisories/ocert-2012-001.html
- http://2012.appsec-forum.ch/conferences/#c17
- https://www.131002.net/data/talks/appsec12_slides.pdf
- http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
- http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
- https://www.131002.net/siphash/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=880713
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=880714
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=750533
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=750533#c15
- https://bugzilla.redhat.com/show_bug.cgi?id=880705
- http://www.securityfocus.com/bid/56673
- https://exchange.xforce.ibmcloud.com/vulnerabilities/80299
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/event
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5373
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.7.0
- canonical/oracle jre
- version/oracle jre/1.7.0
- canonical/oracle openjdk
- version/oracle openjdk/1.7.0