5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
67.9%
Oracle Java SE before 7 Update 6, and OpenJDK 7 before 7u6 build 12 and 8
before build 39, computes hash values without restricting the ability to
trigger hash collisions predictably, which allows context-dependent
attackers to cause a denial of service (CPU consumption) via crafted input
to an application that maintains a hash table.
Author | Note |
---|---|
sbeattie | openjdk-6b18 in oneiric has been superceded by openjdk-6 openjdk-6b18 in lucid & natty would be superceded by openjdk-6 except that openjdk-6 FTBFS on armel (LP: #1043003) |
jdstrand | this was actually fixed in usn-1619-1 as part of the new upstream releases, but it wasn’t reported as such. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 8.04 | noarch | openjdk-6 | < 6b27-1.12.3-0ubuntu1~08.04.1 | UNKNOWN |
ubuntu | 10.04 | noarch | openjdk-6 | < 6b24-1.11.5-0ubuntu1~10.04.2 | UNKNOWN |
ubuntu | 11.10 | noarch | openjdk-6 | < 6b24-1.11.5-0ubuntu1~11.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | openjdk-6 | < 6b24-1.11.5-0ubuntu1~12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | openjdk-6 | < 6b24-1.11.5-0ubuntu1~12.10.1 | UNKNOWN |
ubuntu | 11.10 | noarch | openjdk-7 | < 7u9-2.3.3-0ubuntu1~11.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | openjdk-7 | < 7u9-2.3.3-0ubuntu1~12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | openjdk-7 | < 7u9-2.3.3-0ubuntu1~12.10.1 | UNKNOWN |
armoredbarista.blogspot.de/2012/02/investigating-hashdos-issue.html
mail.openjdk.java.net/pipermail/core-libs-dev/2012-May/010238.html
www.openwall.com/lists/oss-security/2012/06/15/12
www.openwall.com/lists/oss-security/2012/06/17/1
launchpad.net/bugs/cve/CVE-2012-2739
nvd.nist.gov/vuln/detail/CVE-2012-2739
security-tracker.debian.org/tracker/CVE-2012-2739
ubuntu.com/security/notices/USN-1619-1
www.cve.org/CVERecord?id=CVE-2012-2739