copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0012 - ALERT [Win][UNIX/Linux] Tomcat, .NET, Ruby, PHP: Denial of service - Remote/unauthenticated

Date: 03 January 2012
References: ESB-2012.0013.2  ESB-2012.0054  ESB-2012.0056  ESB-2012.0094  ESB-2012.0095  ESB-2012.0099  ESB-2012.0458  ESB-2012.0622  ESB-2012.0718  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0012
  Hash table implementations vulnerable to algorithmic complexity attacks
                              3 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Apache Tomcat
                   Microsoft .NET Framework
                   Ruby
                   PHP 5
Publisher:         US-CERT
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4885 CVE-2011-4838 CVE-2011-4815
                   CVE-2011-3414  

Original Bulletin: 
   http://www.kb.cert.org/vuls/id/903934

Comment: A hash collision denial of service condition has been found in
         multiple web programming languages. Some vendors have provided updates
         and/or workarounds; this bulletin provides additional information and
         workarounds.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#903934

Hash table implementations vulnerable to algorithmic complexity attacks

Overview

Some programming language implementations do not sufficiently randomize their
hash functions or provide means to limit key collision attacks, which can be
leveraged by an unauthenticated attacker to cause a denial-of-service (DoS)
condition.

I. Description

Many applications, including common web framework implementations, use hash
tables to map key values to associated entries. If the hash table contains
entries for different keys that map to the same hash value, a hash collision
occurs and additional processing is required to determine which entry is
appropriate for the key. If an attacker can generate many requests containing
colliding key values, an application performing the hash table lookup may enter
a denial of service condition.

Hash collision denial-of-service attacks were first detailed in 2003, but
recent research details how these attacks apply to modern language hash table
implementations.

II. Impact

An application can be forced into a denial-of-service condition. In the case of
some web application servers, specially-crafted POST form data may result in a
denial-of-service.

III. Solution

Apply an update

Please review the Vendor Information section of this document for vendor-
specific patch and workaround details.

Limit CPU time

Limiting the processing time for a single request can help minimize the impact
of malicious requests.

Limit maximum POST size

Limiting the maximum POST request size can reduce the number of possible
predictable collisions, thus reducing the impact of an attack.

Limit maximum request parameters

Some servers offer the option to limit the number of parameters per request,
which can also minimize impact.

Vendor Information

Vendor			Status		Date Notified		Date Updated

Adobe			Unknown		2011-11-01		2011-11-01
  http://www.kb.cert.org/vuls/id/MAPG-8N7Q7A

Apache Tomcat		Affected				2011-12-28
  http://www.kb.cert.org/vuls/id/DWAN-8PYMUS

IBM Corporation		Unknown		2011-11-01		2011-11-01
  http://www.kb.cert.org/vuls/id/MAPG-8N7Q7D

Microsoft Corporation	Affected	2011-11-01		2011-12-29
  http://www.kb.cert.org/vuls/id/MAPG-8N7Q7G

Oracle Corporation	Unknown		2011-11-01		2011-11-01
  http://www.kb.cert.org/vuls/id/MAPG-8N7Q7K

Ruby			Affected	2011-11-01		2011-12-28
  http://www.kb.cert.org/vuls/id/MAPG-8N7Q7N

The PHP Group		Affected				2011-12-28
  http://www.kb.cert.org/vuls/id/DWAN-8PYMFT

References

http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx
Credit

Thanks to Alexander Klink and Julian Wlde for reporting these vulnerabilities.

This document was written by Jared Allar and David Warren.
Other Information
Date Public:	2011-12-28
Date First Published:	2011-12-28
Date Last Updated:	2011-12-30
CERT Advisory:	 
CVE-ID(s):	CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
NVD-ID(s):	CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
US-CERT Technical Alerts:	 
Severity Metric:	10.80
Document Revision:	34

If you have feedback, comments, or additional information about this
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwKQge4yVqjM2NGpAQLakg/+JiZjqXmvIagFeW1pkLc5eiKzHPDYvofj
Pt+b6KjmP0BOTBHM75eL5/PrtPVKydIhbCOB5VqR0a9pGbFgY7UsTI7uRJkezELQ
IjEasaY+UDwHiMeaEpVhsTgvsZtwBsS8Ga+hc2GKcjUOHxsv3SpOfpIgWVxE/CRF
e1uuqNqbk1VSbY6vf2TRKx8yoiXgPUMoySl6WmuLqTebbIsmmEpGU//TwKjvH3dD
9Rz3yPH8XIxBG3fGZCiQWlczSwOzStL+0syb5ycSd/OARfbzsV+TJmYd197LKIjx
UJhB8qU0zDPmJ2d1Jv7b7xrTb9Zo9Dyp808SpHiNo/Z2s1GMBpALvDCtu/WcVNwQ
OLlxjJmHyr5HKZEzkeE2dGEuLoeoe5W2rendc5LfCJ61odyir0Je2hEotJunxFfv
taBZJY7NlR9CBtqmO627VgZQTXsJGMPkYgzAJrY4my0iv9XDgEOBg1bC4d6ELr8k
GCFBDtsTocuT9qUuzvdE4P7UB/iHJiXdEDvoSoRYu3wllcnNxbA/+Or7Fepdzpuh
ghsaVbVqFpxLth5fLGVTyYTgt0GMDUV+CeVmMqxtTI94/6UNaFc5ACaLhoRvZLL4
I5WiafZetlCmGA55akobyRnA0p6/xlSP7eQdVmBsK1s2t20FdCmYA0B56OiwBvcR
cO5o8tFrMXM=
=FgeX
-----END PGP SIGNATURE-----