Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12M2g4LXJ3NDgtaDRncs3ubQ

Apache Geronimo Hash Collisions Cause DoS

Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461.

Permalink: https://github.com/advisories/GHSA-v3h8-rw48-h4gr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12M2g4LXJ3NDgtaDRncs3ubQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago

Identifiers: GHSA-v3h8-rw48-h4gr, CVE-2011-5034
References:

• https://nvd.nist.gov/vuln/detail/CVE-2011-5034
• https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
• https://lists.apache.org/thread.html/r20957aa5962a48328f199e2373f408aeeae601a45dd5275a195e2b6e@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/r360b70489bad65286b49ceb5303a849d2a7ec7d1292774a7259579e1@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r3c541f019b74902e8e61d73e40ecc2837dfce1b744ad5546919b993c@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r4fe6b5ff1d48e23337304fd5ac983d89328aecbd1fa198cfc966fbd7@%3Cdev.geronimo.apache.org%3E
• https://lists.apache.org/thread.html/r653f633aa7b6ccbb8c338dbfcea7a00e4ae9d6f3e064a03cab8dc20d@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/r67747af92035942c9c413bd8394acbb8a1ace5833c0177014c825bc2@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r8dc1a0ae0e0cf9d2494b8cbd66562f99331c4cf635e7781850a9b9ba@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/ra10015f6f3c3c88b7d813383554e87c06347fe163487148669189b8e@%3Cdev.geronimo.apache.org%3E
• https://lists.apache.org/thread.html/ra1fe29f6399b68980f914d8613dee7f67d62a1a97722fe9cd56f4f5f@%3Cdev.geronimo.apache.org%3E
• https://lists.apache.org/thread.html/rb0e85243d7268f1d7a1edb5e6c7df885dbd300acabaaf4cb0e880518@%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rdd67ea3e489134f653349fc2cb09828ac8462aa61dd776b505a3297a@%3Cissues.karaf.apache.org%3E
• http://www.kb.cert.org/vuls/id/903934
• http://www.ocert.org/advisories/ocert-2011-003.html
• https://web.archive.org/web/20120105151644/http://www.nruns.com/_downloads/advisory28122011.pdf
• https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
• https://github.com/advisories/GHSA-v3h8-rw48-h4gr

Repository: https://github.com/FireFart/HashCollision-DOS-POC
Blast Radius: 0.0

Affected Packages