(Red Hat Issues Fix) Ruby Hash Table Collision Bug Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1026596 |
|
SecurityTracker URL: http://securitytracker.com/id/1026596
|
|
CVE Reference:
CVE-2011-4815
(Links to External Site)
|
Date: Jan 30 2012
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.8.7-p356 and prior versions
|
Description:
A vulnerability was reported in Ruby. A remote user can cause denial of service conditions.
A remote user can send specially crafted POST request values to trigger hash collisions and cause significant performance degradation on the target server.
Version 1.9.x is not affected.
The original advisory is available at:
http://www.nruns.com/_downloads/advisory28122011.pdf
Alexander Klink of n.runs AG and Julian Walde of Technische Universitat Darmstadt reported this vulnerability. Scott A. Crosby and Dan S. Wallach of Rice University reported the theoretical attack.
|
Impact:
A remote user can cause performance to degrade on the target server.
|
Solution:
Red Hat has issued a fix.
The Red Hat advisory is available at:
https://rhn.redhat.com/errata/RHSA-2012-0069.html
|
Vendor URL: www.ruby-lang.org/en/news/2011/12/28/denial-of-service-attack-was-found-for-rubys-hash-algorithm/ (Links to External Site)
|
Cause:
Randomization error
|
Underlying OS:
Linux (Red Hat Enterprise)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 30 Jan 2012 19:56:03 +0000
Subject: [RHSA-2012:0069-01] Moderate: ruby security update
|
CVE-2011-4815
|
|
