CERT mailing list archives

Current Activity - Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks

From: Current Activity <us-cert () us-cert gov>
Date: Wed, 28 Dec 2011 13:25:18 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

US-CERT Current Activity

Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks

Original release date: December 28, 2011 at 1:04 pm
Last revised: December 28, 2011 at 1:04 pm


US-CERT is aware of reports stating that multiple programming language
implementations, including web platforms, are vulnerable to hash table
collision attacks. This vulnerability could be used by an attacker to
launch a denial-of-service attack against websites using affected
products.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is
not affected by this attack. Additional information can be found in
the ruby 1.8.7 patchlevel 357 release notes.

Microsoft has released a security advisory for ASP.NET containing a
workaround. Additional information can be found in Microsoft Security
Advisory 2659883.

More information regarding this vulnerability can be found in US-CERT
Vulnerability Note VU#903934 and n.runs Security Advisory
n.runs-SA-2011.004.

US-CERT will provide additional information as it becomes available.

Relevant Url(s):
<http://www.ruby-forum.com/topic/3312298>

<http://www.nruns.com/_downloads/advisory28122011.pdf>

<http://technet.microsoft.com/en-us/security/advisory/2659883>

<http://www.kb.cert.org/vuls/id/903934>

====
This entry is available at
http://www.us-cert.gov/current/index.html#multiple_vendors_vulnerable_to_hash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTvtfBD/GkGVXE7GMAQKIxAf/TOV1VXY+cP6MLA3xhKW2GvzQSBIC+JuB
gORmt/LWTiehSV5v+xBeGtzG4MmDGzQn/ya+LXCMhAf1i1F+PAYatFMq+a9azhR5
JAanVwx3ZS4yvK86XonCjQ57VzNNOsYKcByrnBAs/+8rbtPVWBZ3hM1BA+DV0u8J
PLq28QWW96Zm9RT5e3N7tadqRliAMIEg9Ewz5Xb4M7JrO+O10e05D4BDuSpQq1x3
zDdnYN/JmTAs+r62PRdC9ZZhSLHyYQf6u8E8Qy28+rWMqvet/AnYggKEu4Xan1pJ
frHpC/2BpKgdenwiP58YnqvYcV7IEpOdODMIFyuAumqb4Q5qsSQWhg==
=Q8SA
-----END PGP SIGNATURE-----

Current thread:

Current Activity - Multiple Programming Language Implementations Vulnerable to Hash Table Collision Attacks Current Activity (Dec 28)