The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability note CVE-2011-3414 CVE-2011-4461 CVE-2011-4462

Multiple: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Severity of this computer vulnerability: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 28/12/2011.
Revision date: 22/02/2012.
Références of this announce: 1506603, 2638420, 2659883, BID-51186, BID-51194, BID-51195, BID-51196, BID-51197, BID-51199, BID-51235, BID-51441, CERTA-2011-AVI-727, CERTA-2011-AVI-728, cpujul2018, CVE-2011-3414, CVE-2011-4461, CVE-2011-4462, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, CVE-2011-5036, CVE-2011-5037, CVE-2012-0039, CVE-2012-0193, CVE-2012-0839, DSA-2783-1, DSA-2783-2, FEDORA-2012-0730, FEDORA-2012-0752, MS11-100, n.runs-SA-2011.004, NTAP-20190307-0004, oCERT-2011-003, openSUSE-SU-2012:0262-1, PM53930, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk66350, VIGILANCE-VUL-11254, VU#903934.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A hash table stores information, as keys pointing to values. Each key is converted to an integer, which is the index of the area where to store data. For example:
 - keyA is converted to 34
 - keyB is converted to 13
Data are then stored at offsets 34 and 13.

In most cases, these keys generate integers which are uniformly located in the storage area (which runs for example between 0 and 99). However, if an attacker computes his keys in such a way that they are converted to the same integer (for example 34), all data are stored at the same location (at the index 34). The access time to these data is thus very large.

A posted HTTP form is used to send a lot of variables. For example: var1=a, var2=b, etc. Web servers store these variables in a hash table. However, if the attacker computes his keys (variable names) in such a way that they are all stored at the same place, he can overload the server.

Other features, such as a JSON parser or additional services, can also be used as an attack vector.

The following products are also impacted:
 - Apache APR (VIGILANCE-VUL-11380)
 - Apache Xerces-C++ (VIGILANCE-VUL-15082)
 - Apache Xerces Java (VIGILANCE-VUL-15083)
 - expat (VIGILANCE-VUL-11420)
 - Java Lightweight HTTP Server (VIGILANCE-VUL-11381)
 - Java Language (VIGILANCE-VUL-11715)
 - libxml2 (VIGILANCE-VUL-11384)
 - PHP (VIGILANCE-VUL-11379)
 - Python (VIGILANCE-VUL-11416)
 - Ruby (VIGILANCE-VUL-11382)
 - Tomcat (VIGILANCE-VUL-11383)

An attacker can therefore send data generating storage collisions, in order to overload a service.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability announce impacts software or systems such as CheckPoint Endpoint Security, CheckPoint Security Gateway, Debian, Fedora, WebSphere AS Traditional, IIS, .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Snap Creator Framework, openSUSE, Oracle AS, Oracle Communications, Oracle DB, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier, RHEL.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 11 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this threat alert.

Solutions for this threat

Microsoft .NET: patch.
A patch is available:
Windows XP SP3
  Microsoft .NET Framework 1.1 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=471e1f51-c79c-4285-9f1e-aee1e4c4f189
  Microsoft .NET Framework 2.0 SP2
    http://www.microsoft.com/downloads/details.aspx?familyid=eff633f7-abd9-45cc-acbd-4885123dbed2
  Microsoft .NET Framework 3.5 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=306acd0a-bea2-40dd-a639-f381587c9eb7
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows 2003 SP2
  Microsoft .NET Framework 1.1 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=7538762a-50e9-4f13-a60e-ff99aa8fbbf8
    http://www.microsoft.com/downloads/details.aspx?familyid=471e1f51-c79c-4285-9f1e-aee1e4c4f189
  Microsoft .NET Framework 2.0 SP2
    http://www.microsoft.com/downloads/details.aspx?familyid=eff633f7-abd9-45cc-acbd-4885123dbed2
  Microsoft .NET Framework 3.5 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=306acd0a-bea2-40dd-a639-f381587c9eb7
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows Vista SP2
  Microsoft .NET Framework 1.1 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=471e1f51-c79c-4285-9f1e-aee1e4c4f189
  Microsoft .NET Framework 2.0 SP2
    http://www.microsoft.com/downloads/details.aspx?familyid=49050cf2-949a-40e5-b2ee-6257a3837294
  Microsoft .NET Framework 3.5 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=306acd0a-bea2-40dd-a639-f381587c9eb7
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows Server 2008 SP2
  Microsoft .NET Framework 1.1 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=471e1f51-c79c-4285-9f1e-aee1e4c4f189
  Microsoft .NET Framework 2.0 SP2
    http://www.microsoft.com/downloads/details.aspx?familyid=49050cf2-949a-40e5-b2ee-6257a3837294
  Microsoft .NET Framework 3.5 SP1
    http://www.microsoft.com/downloads/details.aspx?familyid=306acd0a-bea2-40dd-a639-f381587c9eb7
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows 7 Gold
  Microsoft .NET Framework 3.5.1
    http://www.microsoft.com/downloads/details.aspx?familyid=2de28d32-1efd-4177-82e6-19a08266096c
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows 7 SP1
  Microsoft .NET Framework 3.5.1
    http://www.microsoft.com/downloads/details.aspx?familyid=26e0b56d-9228-49cf-9276-0741257567a9
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows Server 2008 R2 Gold
  Microsoft .NET Framework 3.5.1
    http://www.microsoft.com/downloads/details.aspx?familyid=2de28d32-1efd-4177-82e6-19a08266096c
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
Windows Server 2008 R2 SP1
  Microsoft .NET Framework 3.5.1
    http://www.microsoft.com/downloads/details.aspx?familyid=26e0b56d-9228-49cf-9276-0741257567a9
  Microsoft .NET Framework 4
    http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad-4605-980b-28361889ce72
The Microsoft announce indicates workarounds.

Microsoft ASP.NET: workaround for hash collision.
A workaround is to limit the size of accepted queries. For example, with ViewState:
<configuration>
  <system.web>
    <httpRuntime maxRequestLength="200" />
  </system.web>
</configuration>
The Microsoft announce, and the following document indicate how to configure ASP.NET:
  http://msdn.microsoft.com/en-us/library/ms178683.aspx

Check Point Security Gateway, Endpoint Security: patch for hash collision.
A patch is available for Security Gateway and Connectra:
  https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=13554
For EndPoint Security Server, execute :
  cpstop
  cd %uepmdir%\engine\conf
  copy server.xml server.xml.bak
  remove the following line from server.xml: <Context docBase="WRH" path="/webrh" reloadable="false"/>
  cpstart

Debian: new librack-ruby packages.
New packages are available:
  librack-ruby 1.1.0-4+squeeze1

Fedora: new jetty packages.
New packages are available:
  jetty-6.1.26-7.fc15
  jetty-6.1.26-8.fc16

NetApp Snap Creator Framework: solution for Eclipse Jetty.
The solution is not yet known.
Feel free to contact our team if you have a generic solution.

openSUSE 11.4: new jetty5 packages.
New packages are available:
  jetty5-5.1.14-11.12.1

Oracle AS, WebLogic, iPlanet Web Server: patch for hash collision.
A patch is available:
  Oracle Application Server, Oracle WebLogic Server :
    http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1400322.1
  Oracle iPlanet Web Server, Oracle Java System Web Server :
    http://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1400369.1

Oracle Fusion Middleware: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2394520.1

Red Hat Satellite: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Satellite (RHEL v.5):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9
Red Hat Satellite (RHEL v.6):
  java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4

RHEL: new Fuse Enterprise packages.
New packages are available:
  Fuse ESB Enterprise : jetty, jruby
  Fuse MQ Enterprise : jetty
  Fuse Management Console : jetty

WebSphere AS: APAR PM53930.
The APAR PM53930 is available.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities.