Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 445198 (CVE-2012-5373)

Summary: dev-java/sun-{jdk,jre-bin}, app-emul/emul-linux-x86-java, dev-java/oracle-{jdk,jre}-bin: Murmur hash function collisions (CVE-2012-5373)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=880705
Whiteboard: B3 [upstream]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2012-11-29 13:07:58 UTC 
From $URL :

A denial of service flaw was found in the Murmur hash function implementation, as being used by 
various Java implementations. A specially-crafted set of keys could trigger Murmur hash function 
collisions, which degrade hash table items insert performance by changing hash table operations 
complexity from an expected/average O(n) to the worst case O(n^2). Reporters were able to find 
colliding strings efficiently using equivalent substrings.

As various web application frameworks for Java automatically pre-fill certain arrays with data from 
the HTTP request (such as GET or POST parameters) for Java web applications, a remote attacker 
could use this flaw to make the Java virtual machine to use an excessive amount of CPU time by 
sending a POST request with a large number parameters which hash to the same value.

A different vulnerability than CVE-2012-2739.

References:
[1] http://www.openwall.com/lists/oss-security/2012/11/23/4
[2] http://www.ocert.org/advisories/ocert-2012-001.html
[3] http://2012.appsec-forum.ch/conferences/#c17
[4] https://www.131002.net/data/talks/appsec12_slides.pdf
[5] http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 22:05:57 UTC 
CVE-2012-5373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5373):
  Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash
  values without properly restricting the ability to trigger hash collisions
  predictably, which allows context-dependent attackers to cause a denial of
  service (CPU consumption) via crafted input to an application that maintains
  a hash table, as demonstrated by a universal multicollision attack against
  the MurmurHash3 algorithm, a different vulnerability than CVE-2012-2739.
Comment 2 James Le Cuirot gentoo-dev 2015-05-26 22:30:01 UTC 
dev-java/sun-{jdk,jre-bin} and app-emul/emul-linux-x86-java have gone. dev-java/oracle-{jdk,jre}-bin were updated beyond 7u7 ages ago. It's really too late to issue a GLSA report about it now.