Vulnerability Note VU#903934
Hash table implementations vulnerable to algorithmic complexity attacks
Some programming language implementations do not sufficiently randomize their hash functions or provide means to limit key collision attacks, which can be leveraged by an unauthenticated attacker to cause a denial-of-service (DoS) condition.
Many applications, including common web framework implementations, use hash tables to map key values to associated entries. If the hash table contains entries for different keys that map to the same hash value, a hash collision occurs and additional processing is required to determine which entry is appropriate for the key. If an attacker can generate many requests containing colliding key values, an application performing the hash table lookup may enter a denial of service condition.
An application can be forced into a denial-of-service condition. In the case of some web application servers, specially-crafted POST form data may result in a denial-of-service.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Tomcat||Affected||-||28 Dec 2011|
|Microsoft Corporation||Affected||01 Nov 2011||29 Dec 2011|
|Oracle Corporation||Affected||01 Nov 2011||15 Feb 2016|
|Ruby||Affected||01 Nov 2011||28 Dec 2011|
|The PHP Group||Affected||-||28 Dec 2011|
|Adobe||Unknown||01 Nov 2011||01 Nov 2011|
|IBM Corporation||Unknown||01 Nov 2011||01 Nov 2011|
CVSS Metrics (Learn More)
Thanks to Alexander Klink and Julian Wälde for reporting these vulnerabilities.
This document was written by Jared Allar and David Warren.
- CVE IDs: CVE-2011-4815 CVE-2011-3414 CVE-2011-4838 CVE-2011-4885
- Date Public: 28 Dec 2011
- Date First Published: 28 Dec 2011
- Date Last Updated: 15 Feb 2016
- Severity Metric: 10.80
- Document Revision: 40
If you have feedback, comments, or additional information about this vulnerability, please send us email.