oCERT-2012-001 multiple implementations denial-of-service via MurmurHash algorithm collision

Description:

A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions in the underlying hashing algorithms.

The issue is similar to the one reported in oCERT-2011-003 and concerns the MurmurHash algorithm family. The condition for predictable collisions in the hashing functions has been reported for the following language implementations: JRuby (MurmurHash2), Ruby (MurmurHash2), Rubinius (MurmurHash3), Oracle JDK (MurmurHash), OpenJDK (MurmurHash). In the case of Java OpenJDK the hash function affected by the reported issue is not enabled by default, the default function is however reported vulnerable to oCERT-2011-003.

Affected version:

Ruby < 1.9.3-p327

JRuby < 1.7.1

Rubinius, all versions

Oracle JDK <= 7

OpenJDK <= 7

Fixed version:

Ruby >= 1.9.3-p327

JRuby >= 1.7.1

Rubinius, N/A (see References for patch commited to development branch)

Oracle JDK, N/A

OpenJDK, N/A

Credit: vulnerability report received from Jean-Philippe Aumasson <jeanphilippe.aumasson AT gmail.com>, PoC code and SipHash implementation used to patch the issue developed by Martin Bosslet <martin.bosslet AT gmail.com>.

CVE: CVE-2012-5370 (JRuby), CVE-2012-5371 (Ruby), CVE-2012-5372 (Rubinius), CVE-2012-5373 (Oracle JDK, OpenJDK)

Timeline:

2012-08-30: vulnerability report sent to Ruby, JRuby and Rubinius security contacts
2012-09-03: vulnerability report forwarded to oCERT by Hiroshi Nakamura (Ruby security contact)
2012-09-06: oCERT contacted reporters to investigate additional affected projects
2012-09-06: reporters indicate OpenJDK as vulnerable and that Java security team has been contacted on 2012-07-31
2012-09-10: oCERT requested CVE assignment for Ruby, JRuby and Rubinius
2012-09-12: Oracle JDK and OpenJDK confirmed vulnerable by reporters
2012-09-12: oCERT requested CVE assignment for Oracle JDK and OpenJDK
2012-10-10: reporters indicate public PoC release on 2012-11-07 at ASFWS
2012-11-08: assigned CVEs
2012-11-09: Ruby 1.9.3-p327 released
2012-11-23: advisory release
2012-11-27: corrected typos in CVE assignment
2012-12-03: JRuby 1.7.1 released
2012-12-12: added reference to JRuby release and Rubinius development branch patch

References:
https://www.131002.net/siphash
https://github.com/rubinius/rubinius/commit/a9a40fc6a1256bcf6382631b710430105c5dd868