Date: 03 January 2012
References: ESB-2012.0013.2 ESB-2012.0054 ESB-2012.0056 ESB-2012.0094 ESB-2012.0095 ESB-2012.0099 ESB-2012.0458 ESB-2012.0622 ESB-2012.0718
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0012
Hash table implementations vulnerable to algorithmic complexity attacks
3 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Tomcat
Microsoft .NET Framework
Ruby
PHP 5
Publisher: US-CERT
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4885 CVE-2011-4838 CVE-2011-4815
CVE-2011-3414
Original Bulletin:
http://www.kb.cert.org/vuls/id/903934
Comment: A hash collision denial of service condition has been found in
multiple web programming languages. Some vendors have provided updates
and/or workarounds; this bulletin provides additional information and
workarounds.
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#903934
Hash table implementations vulnerable to algorithmic complexity attacks
Overview
Some programming language implementations do not sufficiently randomize their
hash functions or provide means to limit key collision attacks, which can be
leveraged by an unauthenticated attacker to cause a denial-of-service (DoS)
condition.
I. Description
Many applications, including common web framework implementations, use hash
tables to map key values to associated entries. If the hash table contains
entries for different keys that map to the same hash value, a hash collision
occurs and additional processing is required to determine which entry is
appropriate for the key. If an attacker can generate many requests containing
colliding key values, an application performing the hash table lookup may enter
a denial of service condition.
Hash collision denial-of-service attacks were first detailed in 2003, but
recent research details how these attacks apply to modern language hash table
implementations.
II. Impact
An application can be forced into a denial-of-service condition. In the case of
some web application servers, specially-crafted POST form data may result in a
denial-of-service.
III. Solution
Apply an update
Please review the Vendor Information section of this document for vendor-
specific patch and workaround details.
Limit CPU time
Limiting the processing time for a single request can help minimize the impact
of malicious requests.
Limit maximum POST size
Limiting the maximum POST request size can reduce the number of possible
predictable collisions, thus reducing the impact of an attack.
Limit maximum request parameters
Some servers offer the option to limit the number of parameters per request,
which can also minimize impact.
Vendor Information
Vendor Status Date Notified Date Updated
Adobe Unknown 2011-11-01 2011-11-01
http://www.kb.cert.org/vuls/id/MAPG-8N7Q7A
Apache Tomcat Affected 2011-12-28
http://www.kb.cert.org/vuls/id/DWAN-8PYMUS
IBM Corporation Unknown 2011-11-01 2011-11-01
http://www.kb.cert.org/vuls/id/MAPG-8N7Q7D
Microsoft Corporation Affected 2011-11-01 2011-12-29
http://www.kb.cert.org/vuls/id/MAPG-8N7Q7G
Oracle Corporation Unknown 2011-11-01 2011-11-01
http://www.kb.cert.org/vuls/id/MAPG-8N7Q7K
Ruby Affected 2011-11-01 2011-12-28
http://www.kb.cert.org/vuls/id/MAPG-8N7Q7N
The PHP Group Affected 2011-12-28
http://www.kb.cert.org/vuls/id/DWAN-8PYMFT
References
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx
Credit
Thanks to Alexander Klink and Julian Wlde for reporting these vulnerabilities.
This document was written by Jared Allar and David Warren.
Other Information
Date Public: 2011-12-28
Date First Published: 2011-12-28
Date Last Updated: 2011-12-30
CERT Advisory:
CVE-ID(s): CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
NVD-ID(s): CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
US-CERT Technical Alerts:
Severity Metric: 10.80
Document Revision: 34
If you have feedback, comments, or additional information about this
vulnerability, please send us email.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTwKQge4yVqjM2NGpAQLakg/+JiZjqXmvIagFeW1pkLc5eiKzHPDYvofj
Pt+b6KjmP0BOTBHM75eL5/PrtPVKydIhbCOB5VqR0a9pGbFgY7UsTI7uRJkezELQ
IjEasaY+UDwHiMeaEpVhsTgvsZtwBsS8Ga+hc2GKcjUOHxsv3SpOfpIgWVxE/CRF
e1uuqNqbk1VSbY6vf2TRKx8yoiXgPUMoySl6WmuLqTebbIsmmEpGU//TwKjvH3dD
9Rz3yPH8XIxBG3fGZCiQWlczSwOzStL+0syb5ycSd/OARfbzsV+TJmYd197LKIjx
UJhB8qU0zDPmJ2d1Jv7b7xrTb9Zo9Dyp808SpHiNo/Z2s1GMBpALvDCtu/WcVNwQ
OLlxjJmHyr5HKZEzkeE2dGEuLoeoe5W2rendc5LfCJ61odyir0Je2hEotJunxFfv
taBZJY7NlR9CBtqmO627VgZQTXsJGMPkYgzAJrY4my0iv9XDgEOBg1bC4d6ELr8k
GCFBDtsTocuT9qUuzvdE4P7UB/iHJiXdEDvoSoRYu3wllcnNxbA/+Or7Fepdzpuh
ghsaVbVqFpxLth5fLGVTyYTgt0GMDUV+CeVmMqxtTI94/6UNaFc5ACaLhoRvZLL4
I5WiafZetlCmGA55akobyRnA0p6/xlSP7eQdVmBsK1s2t20FdCmYA0B56OiwBvcR
cO5o8tFrMXM=
=FgeX
-----END PGP SIGNATURE-----
|