REDHAT-BUG-875236
First published: Fri Nov 09 2012(Updated: )
Ruby 1.9.3-p327 was released to correct a hash-flooding DoS vulnerability that only affects 1.9.x and the 2.0.0 preview [1]. As noted in the upstream report: Carefully crafted sequence of strings can cause a denial of service attack on the service that parses the sequence to create a Hash object by using the strings as keys. For instance, this vulnerability affects web application that parses the JSON data sent from untrusted entity. This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby 1.9 versions were using modified MurmurHash function but it's reported that there is a way to create sequence of strings that collide their hash values each other. This fix changes the Hash function of String object from the MurmurHash to SipHash 2-4. Ruby 1.8.x is not noted as being affected by this flaw. [1] <a href="http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/">http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ruby | >=1.9.0<2.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
- http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37600
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=875267
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=875268
- http://www.openwall.com/lists/oss-security/2012/11/23/4
- http://www.ocert.org/advisories/ocert-2012-001.html
- http://2012.appsec-forum.ch/conferences/#c17
- https://www.131002.net/data/talks/appsec12_slides.pdf
- http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
- https://rhn.redhat.com/errata/RHSA-2013-0582.html
- https://bugzilla.redhat.com/show_bug.cgi?id=875236
Frequently Asked Questions
What is the severity of REDHAT-BUG-875236?
The severity of REDHAT-BUG-875236 is categorized as high due to its potential for denial of service attacks.
Which versions are affected by REDHAT-BUG-875236?
REDHAT-BUG-875236 affects Ruby versions 1.9.0 through 1.9.3-p327 and the 2.0.0 preview.
How do I fix REDHAT-BUG-875236?
To fix REDHAT-BUG-875236, upgrade to Ruby version 1.9.3-p327 or later.
What type of attack does REDHAT-BUG-875236 facilitate?
REDHAT-BUG-875236 facilitates a hash-flooding denial of service (DoS) attack.
Can I secure my application against REDHAT-BUG-875236 without updating Ruby?
No, the only effective way to secure your application against REDHAT-BUG-875236 is to update to a patched version of Ruby.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5371
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/ruby
- canonical/ruby