Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Thu, 29 Dec 2011 17:02:39 +0100
Type : VULN
Sujet : CERT-Renater : 2011/VULN677 (US-CERT : Hash table implementations vulnerable to algorithmic complexity attacks)
====================================================================
                                      CERT-Renater

                           Note d'Information No. 2011/VULN677
_____________________________________________________________________

DATE                : 29/12/2011

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Hash table implementations.

======================================================================
http://www.kb.cert.org/vuls/id/903934
______________________________________________________________________


Vulnerability Note VU#903934

Hash table implementations vulnerable to algorithmic complexity attacks


Overview

Some programming language implementations do not sufficiently randomize
their hash functions or provide means to limit key collision attacks,
which can be leveraged by an unauthenticated attacker to cause a
denial-of-service (DoS) condition.


I. Description

Many applications, including common web framework implementations, use
hash tables to map key values to associated entries. If the hash table
contains entries for different keys that map to the same hash value, a
hash collision occurs and additional processing is required to determine
which entry is appropriate for the key. If an attacker can generate many
requests containing colliding key values, an application performing the
hash table lookup may enter a denial of service condition.

Hash collision denial-of-service attacks were first detailed in 2003,
but recent research details how these attacks apply to modern language
hash table implementations.


II. Impact

An application can be forced into a denial-of-service condition. In the
case of some web application servers, specially-crafted POST form data
may result in a denial-of-service.


III. Solution

Apply an update

Please review the Vendor Information section of this document for
vendor-specific patch and workaround details.

Limit CPU time

Limiting the processing time for a single request can help minimize
the impact of malicious requests.

Limit maximum POST size

Limiting the maximum POST request size can reduce the number of
possible predictable collisions, thus reducing the impact of an
attack.

Limit maximum request parameters

Some servers offer the option to limit the number of parameters per
request, which can also minimize impact.


Vendor Information

Vendor	Status	Date Notified	Date Updated
Adobe	Unknown	2011-11-01	2011-11-01
Apache Tomcat	Affected		2011-12-28
IBM Corporation	Unknown	2011-11-01	2011-11-01
Microsoft Corporation	Affected	2011-11-01	2011-12-28
Oracle Corporation	Unknown	2011-11-01	2011-11-01
Ruby	Affected	2011-11-01	2011-12-28
The PHP Group	Affected		2011-12-28


References

http://www.nruns.com/_downloads/advisory28122011.pdf
http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf


Credit

Thanks to Alexander Klink and Julian Wälde for reporting these
vulnerabilities.

This document was written by Jared Allar and David Warren.


Other Information

Date Public:	2011-12-28
Date First Published:	2011-12-28
Date Last Updated:	2011-12-28
CERT Advisory:
CVE-ID(s):	CVE-2011-4815 CVE-2011-3414
NVD-ID(s):	CVE-2011-4815 CVE-2011-3414
US-CERT Technical Alerts:
Severity Metric:	10,80
Document Revision:	17

If you have feedback, comments, or additional information about
this vulnerability, please send us email.


======================================================================

             =========================================================
             Les serveurs de référence du CERT-Renater
             http://www.urec.fr/securite
             http://www.cru.fr/securite
             http://www.renater.fr
             =========================================================
             + CERT-RENATER          | tel : 01-53-94-20-44          +
             + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
             + 75013 Paris           | email: certsvp@renater.fr     +
             =========================================================

[An attachment of type application/pkcs7-signature was included here]