oCERT-2011-003 multiple implementations denial-of-service via hash algorithm collision

Description:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue finds particular exposure in web server applications and/or frameworks. In particular, the lack of sufficient limits for the number of parameters in POST requests in conjunction with the predictable collision properties in the hashing functions of the underlying languages can render web applications vulnerable to the DoS condition. The attacker, using specially crafted HTTP requests, can lead to a 100% of CPU usage which can last up to several hours depending on the targeted application and server performance, the amplification effect is considerable and requires little bandwidth and time on the attacker side.

The condition for predictable collisions in the hashing functions has been reported for the following language implementations: Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the Ruby language, the 1.9.x branch is not affected by the predictable collision condition since this version includes a randomization of the hashing function.

The vulnerability outlined in this advisory is practically identical to the one reported in 2003 and described in the paper Denial of Service via Algorithmic Complexity Attacks which affected the Perl language.

The reporters own advisory can be found at http://www.nruns.com/_downloads/advisory28122011.pdf

Affected version:

Java, all versions

JRuby <= 1.6.5

PHP <= 5.3.8, <= 5.4.0RC3

Python <= 2.6.7, <= 2.7.3, <= 3.1.4, <= 3.2.2

Rubinius, all versions

Ruby <= 1.8.7-p356

Apache Geronimo, all versions

Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22

Oracle Glassfish <= 3.1.1

Jetty <= 7.5.4

Plone, all versions

Rack <= 1.3.5, <= 1.2.4, <= 1.1.2

V8 JavaScript Engine, all versions

Fixed version:

Java, N/A

JRuby >= 1.6.5.1

PHP >= 5.3.9, >= 5.4.0RC4

Python >= 2.6.8, >= 2.7.3, >= 3.1.5, >= 3.2.3 (hash randomization disabled by default, use -R flag to enable it)

Rubinius, N/A

Ruby >= 1.8.7-p357, 1.9.x

Apache Geronimo, N/A

Apache Tomcat >= 5.5.35, >= 6.0.35, >= 7.0.23

Oracle Glassfish, N/A (addressed in Oracle Critical Patch Update - January 2012)

Jetty >= 7.6.0.RC3

Plone, N/A

Rack >= 1.4.0, >= 1.3.6, >= 1.2.5, >= 1.1.3

V8 JavaScript Engine, N/A

Credit: vulnerability report and PoC code received from Alexander Klink <alexander.klink AT nruns.com> and Julian Waelde <jwaelde AT cdc.informatik.tu-darmstadt.de>.

CVE: CVE-2011-5034 (Apache Geronimo), CVE-2011-5035 (Oracle Glassfish), CVE-2011-4461 (Jetty), CVE-2011-4838 (JRuby), CVE-2011-4885 (PHP), CVE-2011-4462 (Plone), CVE-2011-5036 (Rack), CVE-2011-4815 (Ruby), CVE-2011-4858 (Apache Tomcat), CVE-2011-5037 (V8 JavaScript Engine)

2011-09-25: vulnerability report received, reporters set embargo date to December 27th

2011-10-18: contacted maintainers of Apache Tomcat, Apache Geronimo, Jetty, Java, Plone, Zope, V8

2011-11-01: contacted maintainers of Ruby on Rails, Ruby, Python, PHP

2011-11-01: contacted affected distributions

2011-11-02: contacted JRuby maintainer

2011-12-13: contacted Ruby Installer maintainer

2011-12-14: assigned CVE for Ruby

2011-12-15: assigned CVE for JRuby

2011-12-13: contacted Rack maintainer

2011-12-16: assigned CVE for Apache Tomcat

2011-12-21: assigned CVE for PHP

2011-12-28: advisory release

2011-12-29: updated information about Rack affected/fixed versions

2011-12-30: assigned CVEs for Apache Geronimo, Oracle Glassfish, Rack, V8 JavaScript Engine

2012-01-03: corrected Apache Tomcat CVE reference

2012-01-17: updated information about Jetty affected/fixed versions

2012-01-17: updated information about Oracle Glassfish fixed versions

2012-02-27: updated information about Python fixed versions



References:

http://www.nruns.com/_downloads/advisory28122011.pdf

http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf

http://svn.php.net/viewvc?view=revision&revision=321003 (unstable, not final)

http://svn.php.net/viewvc?view=revision&revision=321040 (unstable, not final)

https://gist.github.com/52bbc6b9cc19ce330829