copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ESB-2012.0012 - ALERT [Win][UNIX/Linux] Tomcat, .NET, Ruby, PHP: Denial of service - Remote/unauthenticated

Date: 03 January 2012
References: ESB-2012.0013.2  ESB-2012.0054  ESB-2012.0056  ESB-2012.0094  ESB-2012.0095  ESB-2012.0099  ESB-2012.0458  ESB-2012.0622  ESB-2012.0718  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

  Hash table implementations vulnerable to algorithmic complexity attacks
                              3 January 2012


        AusCERT Security Bulletin Summary

Product:           Apache Tomcat
                   Microsoft .NET Framework
                   PHP 5
Publisher:         US-CERT
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-4885 CVE-2011-4838 CVE-2011-4815

Original Bulletin:

Comment: A hash collision denial of service condition has been found in
         multiple web programming languages. Some vendors have provided updates
         and/or workarounds; this bulletin provides additional information and

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#903934

Hash table implementations vulnerable to algorithmic complexity attacks


Some programming language implementations do not sufficiently randomize their
hash functions or provide means to limit key collision attacks, which can be
leveraged by an unauthenticated attacker to cause a denial-of-service (DoS)

I. Description

Many applications, including common web framework implementations, use hash
tables to map key values to associated entries. If the hash table contains
entries for different keys that map to the same hash value, a hash collision
occurs and additional processing is required to determine which entry is
appropriate for the key. If an attacker can generate many requests containing
colliding key values, an application performing the hash table lookup may enter
a denial of service condition.

Hash collision denial-of-service attacks were first detailed in 2003, but
recent research details how these attacks apply to modern language hash table

II. Impact

An application can be forced into a denial-of-service condition. In the case of
some web application servers, specially-crafted POST form data may result in a

III. Solution

Apply an update

Please review the Vendor Information section of this document for vendor-
specific patch and workaround details.

Limit CPU time

Limiting the processing time for a single request can help minimize the impact
of malicious requests.

Limit maximum POST size

Limiting the maximum POST request size can reduce the number of possible
predictable collisions, thus reducing the impact of an attack.

Limit maximum request parameters

Some servers offer the option to limit the number of parameters per request,
which can also minimize impact.

Vendor Information

Vendor			Status		Date Notified		Date Updated

Adobe			Unknown		2011-11-01		2011-11-01

Apache Tomcat		Affected				2011-12-28

IBM Corporation		Unknown		2011-11-01		2011-11-01

Microsoft Corporation	Affected	2011-11-01		2011-12-29

Oracle Corporation	Unknown		2011-11-01		2011-11-01

Ruby			Affected	2011-11-01		2011-12-28

The PHP Group		Affected				2011-12-28


Thanks to Alexander Klink and Julian Wlde for reporting these vulnerabilities.

This document was written by Jared Allar and David Warren.
Other Information
Date Public:	2011-12-28
Date First Published:	2011-12-28
Date Last Updated:	2011-12-30
CERT Advisory:	 
CVE-ID(s):	CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
NVD-ID(s):	CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
US-CERT Technical Alerts:	 
Severity Metric:	10.80
Document Revision:	34

If you have feedback, comments, or additional information about this
vulnerability, please send us email.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.