CVE-2012-5373
Published: 28 November 2012
Oracle Java SE 7 and earlier, and OpenJDK 7 and earlier, computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash3 algorithm, a different vulnerability than CVE-2012-2739.
Notes
| Author | Note |
|---|---|
| jdstrand | no 2.3 update as of 2013/12/20. 2.4/armhf needs to be fixed the MurmurHash3 was introduced in OpenJDK 7 7u9-2.3.3 and OpenJDK 6 6b24-1.11.5 as part of the fix for CVE-2012-2739. icedtea-web not affected (code not present) patches/security/20121016/7158800.patch introduced this (ie murmur3_32()) per comment #1 in https://bugzilla.redhat.com/show_bug.cgi?id=880705 SipHash-2-4 is not vulnerable |
| sbeattie | purported to be fixed in 7u40 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
icedtea-web Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(code-not-present)
|
| bionic |
Not vulnerable
(code-not-present)
|
|
| cosmic |
Not vulnerable
(code-not-present)
|
|
| disco |
Not vulnerable
(code-not-present)
|
|
| hardy |
Does not exist
|
|
| lucid |
Not vulnerable
(code-not-present)
|
|
| oneiric |
Not vulnerable
(code-not-present)
|
|
| precise |
Not vulnerable
(code-not-present)
|
|
| quantal |
Not vulnerable
(code-not-present)
|
|
| raring |
Not vulnerable
(code-not-present)
|
|
| saucy |
Not vulnerable
(code-not-present)
|
|
| trusty |
Does not exist
(trusty was not-affected [code-not-present])
|
|
| upstream |
Needed
|
|
| utopic |
Not vulnerable
(code-not-present)
|
|
| vivid |
Not vulnerable
(code-not-present)
|
|
| wily |
Not vulnerable
(code-not-present)
|
|
| xenial |
Not vulnerable
(code-not-present)
|
|
| yakkety |
Not vulnerable
(code-not-present)
|
|
| zesty |
Not vulnerable
(code-not-present)
|
|
|
openjdk-6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| hardy |
Ignored
(end of life)
|
|
| lucid |
Ignored
(end of life)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Ignored
(end of life)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needed
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
openjdk-6b18 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| hardy |
Does not exist
|
|
| lucid |
Ignored
(end of life)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(eol in lucid, oneiric)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
openjdk-7 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| hardy |
Does not exist
|
|
| lucid |
Does not exist
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Released
(7u51-2.4.4-0ubuntu0.12.04.2)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was not-affected [7u51-2.4.6-1ubuntu4])
|
|
| upstream |
Needed
|
|
| utopic |
Ignored
(end of life)
|
|
| vivid |
Ignored
(end of life)
|
|
| wily |
Not vulnerable
(7u51-2.4.6-1ubuntu4)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/b03bbdef3a88 |
||
|
sun-java5 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| hardy |
Ignored
(end of life)
|
|
| lucid |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(end of life)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
sun-java6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| hardy |
Ignored
(end of life)
|
|
| lucid |
Does not exist
(removed from archive)
|
|
| oneiric |
Does not exist
|
|
| precise |
Does not exist
|
|
| quantal |
Does not exist
|
|
| raring |
Does not exist
|
|
| saucy |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Ignored
(upstream not redistributable)
|
|
| utopic |
Does not exist
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
References
- https://www.131002.net/data/talks/appsec12_slides.pdf
- https://bugzilla.redhat.com/show_bug.cgi?id=880705
- http://www.ocert.org/advisories/ocert-2012-001.html
- http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf
- http://2012.appsec-forum.ch/conferences/#c17
- http://mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html
- http://icedtea.classpath.org/hg/release/icedtea6-1.11/file/d9564350faa6/patches/security/20121016/7158800.patch
- http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8006593
- https://www.cve.org/CVERecord?id=CVE-2012-5373
- NVD
- Launchpad
- Debian