|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Multiple: denial of service via hash collision
Synthesis of the vulnerability
An attacker can send data generating storage collisions, in order to overload a service.
Impacted software: CheckPoint Endpoint Security, CheckPoint Security Gateway, Debian, Fedora, WebSphere AS Traditional, IIS, .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Snap Creator Framework, openSUSE, Oracle AS, Oracle Communications, Oracle DB, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier, RHEL.
Severity of this computer vulnerability: 3/4.
Consequences of a hack: denial of service on service, denial of service on client.
Attacker's origin: internet client.
Number of vulnerabilities in this bulletin: 11.
Creation date: 28/12/2011.
Revision date: 22/02/2012.
Références of this announce: 1506603, 2638420, 2659883, BID-51186, BID-51194, BID-51195, BID-51196, BID-51197, BID-51199, BID-51235, BID-51441, CERTA-2011-AVI-727, CERTA-2011-AVI-728, cpujul2018, CVE-2011-3414, CVE-2011-4461, CVE-2011-4462, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, CVE-2011-5036, CVE-2011-5037, CVE-2012-0039, CVE-2012-0193, CVE-2012-0839, DSA-2783-1, DSA-2783-2, FEDORA-2012-0730, FEDORA-2012-0752, MS11-100, n.runs-SA-2011.004, NTAP-20190307-0004, oCERT-2011-003, openSUSE-SU-2012:0262-1, PM53930, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk66350, VIGILANCE-VUL-11254, VU#903934.
Description of the vulnerability
A hash table stores information, as keys pointing to values. Each key is converted to an integer, which is the index of the area where to store data. For example:
- keyA is converted to 34
- keyB is converted to 13
Data are then stored at offsets 34 and 13.
In most cases, these keys generate integers which are uniformly located in the storage area (which runs for example between 0 and 99). However, if an attacker computes his keys in such a way that they are converted to the same integer (for example 34), all data are stored at the same location (at the index 34). The access time to these data is thus very large.
A posted HTTP form is used to send a lot of variables. For example: var1=a, var2=b, etc. Web servers store these variables in a hash table. However, if the attacker computes his keys (variable names) in such a way that they are all stored at the same place, he can overload the server.
Other features, such as a JSON parser or additional services, can also be used as an attack vector.
The following products are also impacted:
- Apache APR (VIGILANCE-VUL-11380)
- Apache Xerces-C++ (VIGILANCE-VUL-15082)
- Apache Xerces Java (VIGILANCE-VUL-15083)
- expat (VIGILANCE-VUL-11420)
- Java Lightweight HTTP Server (VIGILANCE-VUL-11381)
- Java Language (VIGILANCE-VUL-11715)
- libxml2 (VIGILANCE-VUL-11384)
- PHP (VIGILANCE-VUL-11379)
- Python (VIGILANCE-VUL-11416)
- Ruby (VIGILANCE-VUL-11382)
- Tomcat (VIGILANCE-VUL-11383)
An attacker can therefore send data generating storage collisions, in order to overload a service.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a network vulnerability note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.