396401 – <www-servers/tomcat-{6.0.35,7.0.23} Hash Algorithm Collision DoS (CVE-2011-4858,CVE-2012-0022)

Bug 396401 - <www-servers/tomcat-{6.0.35,7.0.23} Hash Algorithm Collision DoS (CVE-2011-4858,CVE-2012-0022)

Summary: <www-servers/tomcat-{6.0.35,7.0.23} Hash Algorithm Collision DoS (CVE-2011-48...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	http://www.ocert.org/advisories/ocert...
Whiteboard:	B3 [glsa]
Keywords:

Depends on:	395923 395933 409609 414375
Blocks:	hashDoS
	Show dependency tree

Reported:	2011-12-29 11:27 UTC by Michael Harrison
Modified:	2012-06-24 14:13 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Harrison 2011-12-29 11:27:55 UTC

Java offers the HashMap and Hashtable classes, which use the
String.hashCode() hash function. It is very similar to DJBX33A (instead of 33, it uses the multiplication constant 31 and instead of the start value 5381 it uses 0). Thus it is also vulnerable to an equivalent substring attack. When hashing a string, Java also caches the hash value in the hash attribute, but only if the result is different from zero.
Thus, the target value zero is particularly interesting for an attacker as it prevents caching and forces re-hashing. Different web application parse the POST data differently, but the ones tested (Tomcat, Geronima, Jetty, Glassfish) all put the POST form data into either a Hashtable or HashMap object. The maximal POST sizes also differ from server to server, with 2 MB being the most common.

Tomcat 6.0.32 server parses a 2 MB string of colliding keys in about
44 minutes of i7 CPU time, so an attacker with about 6 kbit/s can keep one i7 core constantly busy. If the attacker has a Gigabit connection, he can keep about 100.000 i7 cores busy.

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2012-02-25 04:22:31 UTC

I think the previous CVE listed here may be incorrect; I don't see it listed anywhere on https://tomcat.apache.org/security-6.html.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2012-02-25 04:25:30 UTC

CVE-2012-0022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0022):
  Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23
  uses an inefficient approach for handling parameters, which allows remote
  attackers to cause a denial of service (CPU consumption) via a request that
  contains many parameters and parameter values, a different vulnerability
  than CVE-2011-4858.

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2012-02-25 04:29:07 UTC

CVE-2011-4858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4858):
  Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23
  computes hash values for form parameters without restricting the ability to
  trigger hash collisions predictably, which allows remote attackers to cause
  a denial of service (CPU consumption) by sending many crafted parameters.

Comment 4 Tim Sammut (RETIRED) gentoo-dev

2012-03-13 21:58:28 UTC

Thanks, folks. GLSA Vote: yes.

Comment 5 Sean Amoss (RETIRED) gentoo-dev

2012-03-23 13:31:18 UTC

GLSA vote: yes. 

Added to existing GLSA request.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2012-06-24 14:13:06 UTC

This issue was resolved and addressed in
 GLSA 201206-24 at http://security.gentoo.org/glsa/glsa-201206-24.xml
by GLSA coordinator Tobias Heinlein (keytoaster).