Bugzilla – Bug 791181
VUL-1: CVE-2012-5370, CVE-2012-5371, CVE-2012-5372, CVE-2012-5373: multiple implementations denial-of-service via MurmurHash algorithm collision
Last modified: 2020-04-02 02:25:40 UTC
Via OSS-sec: Date: Fri, 23 Nov 2012 18:27:45 +0100 From: Andrea Barisani <lcars@ocert.org> To: oss-security@lists.openwall.com, ocert-announce@lists.ocert.org, bugtraq@securityfocus.com X-GPG-Key: 0x864C9B9E X-GPG-Fingerprint: 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [oss-security] [oCERT-2012-001] multiple implementations denial-of-service via MurmurHash algorithm collision X-Virus-Scanned: by amavisd-new at relay1.suse.de X-Spam-Status: No, score=-3.631 tagged_above=-20 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4, URI_HEX=0.368] X-Spam-Score: -3.631 X-Spam-Level: #2012-001 multiple implementations denial-of-service via MurmurHash algorithm collision Description: A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms. The issue is similar to the one reported in oCERT-2011-003 and concerns the MurmurHash algorithm family. The condition for predictable collisions in the hashing functions has been reported for the following language implementations: JRuby (MurmurHash2), Ruby (MurmurHash2), Rubinius (MurmurHash3), Oracle JDK (MurmurHash), OpenJDK (MurmurHash). In the case of Java OpenJDK the hash function affected by the reported issue is not enabled by default, the default function is however reported vulnerable to oCERT-2011-003. Affected version: Ruby < 1.9.3-p327 JRuby all versions Rubinius, all versions Oracle JDK <= 7 OpenJDK <= 7 Fixed version: Ruby >= 1.9.3-p327 JRuby, N/A Rubinius, N/A Oracle JDK, N/A OpenJDK, N/A Credit: vulnerability report received from Jean-Philippe Aumasson <jeanphilippe.aumasson AT gmail.com>, PoC code and SipHash implementation used to patch the issue developed by Martin Bosslet <martin.bosslet AT gmail.com>. CVE: CVE-2012-5370 (JRuby), CVE-2011-5371 (Ruby), CVE-2011-5372 (Rubinius), CVE-2011-5373 (Oracle JDK, OpenJDK) Timeline: 2012-08-30: vulnerability report sent to Ruby, JRuby and Rubinius security contacts 2012-09-03: vulnerability report forwarded to oCERT by Hiroshi Nakamura (Ruby security contact) 2012-09-06: oCERT contacted reporters to investigate additional affected projects 2012-09-06: reporters indicate OpenJDK as vulnerable and that Java security team has been contacted +on 2012-07-31 2012-09-10: oCERT requested CVE assignment for Ruby, JRuby and Rubinius 2012-09-12: Oracle JDK and OpenJDK confirmed vulnerable by reporters 2012-09-12: oCERT requested CVE assignment for Oracle JDK and OpenJDK 2012-10-10: reporters indicate public PoC release on 2012-11-07 at ASFWS 2012-11-08: assigned CVEs 2012-11-09: Ruby 1.9.3-p327 released 2012-11-23: advisory release References: https://www.131002.net/siphash Permalink: http://www.ocert.org/advisories/ocert-2012-001.html
This should be treated as a tracker bug, please split to the particular package if necessary.
bugbot adjusting priority
bug 789983 open for Ruby.
The CVE's in the initial advisory were wrong. The authors corrected them: " I just corrected the advisory. The correct CVEs are the following: CVE-2012-5370 (JRuby), CVE-2012-5371 (Ruby), CVE-2012-5372 (Rubinius), CVE-2012-5373 (Oracle JDK, OpenJDK) I apologize for the error. "
Fix is in ruby and presumably in Java (we can't influence that). Also the CVEs were wrong: CVE-2011-5371 ** REJECT ** ConsultIDs: CVE-2012-5371. Reason: This candidate is a duplicate of CVE-2012-5371. CVE-2011-5372 ** REJECT ** ConsultIDs: CVE-2012-5372. Reason: This candidate is a duplicate of CVE-2012-5372. CVE-2011-5373 ** REJECT ** ConsultIDs: CVE-2012-5373. Reason: This candidate is a duplicate of CVE-2012-5373.