Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-5035

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2011-5035
Last Modified 04 Oct 2014 12:45:24
Published 29 Dec 2011 08:55:01
Confidentiality Impact NONE NONE
Integrity Impact NONE NONE
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-5035

Summary

Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.

Vulnerable Systems

Application

  • Oracle Glassfish Server 1.0

  • Oracle Glassfish Server 2

  • Oracle Glassfish Server 2.0

  • Oracle Glassfish Server 2.1

  • Oracle Glassfish Server 2.1.1

  • Oracle Glassfish Server 3.0

  • Oracle Glassfish Server 3.0.1

  • Oracle Glassfish Server 3.1

  • Oracle Glassfish Server 3.1.1


References

CERT-VN - VU#903934

MISC - http://www.ocert.org/advisories/ocert-2011-003.html

MISC - http://www.nruns.com/_downloads/advisory28122011.pdf

MISC - https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

SECUNIA - 48589

BUGTRAQ - 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

SECUNIA - 48950

MANDRIVA - MDVSA-2013:150

REDHAT - RHSA-2013:1455

DEBIAN - DSA-2420

HP - HPSBST02955

SECUNIA - 57126

GENTOO - GLSA-201406-32

Related Patches

Apple 2012-04-03 Java for Mac OS X 10.6 Update 7

Apple 2012-04-03 Java for OS X Lion 2012-001

Apple 2012-04-12 Java for OS X Lion 2012-003

Apple 2012-04-12 Java for Mac OS X 10.6 Update 8

Sun Java JRE 1.6.0_31 for Windows (Update) (All Languages) (See Notes)

Sun Java JRE 1.7.0_03 for Windows (Update) (All Languages) (See Notes)

Sun Java JRE 1.6.0_31 for Windows (Update) (64Bit) (All Languages) (See Notes)

Sun Java JRE 1.7.0_03 for Windows (Update) (All Languages) (See Notes) (64Bit)

Red Hat 2012:0322-01 RHSA Important: java-1.6.0-openjdk security update for RHEL 5 x86

Red Hat 2012:0322-01 RHSA Important: java-1.6.0-openjdk security update for RHEL 5 x86_64

Novell SUSE 2012:5845 java-1_6_0-openjdk security update for SLED 11 SP1 i586

Novell SUSE 2012:5845 java-1_6_0-openjdk security update for SLED 11 SP1 x86_64

Novell SUSE 2012:6225 java-1_6_0-ibm security update for SLES 11 SP1 i586

Novell SUSE 2012:6225 java-1_6_0-ibm security update for SLES 11 SP1 x86_64

Novell SUSE 2012:8094 java-1_6_0-ibm security update for SLES 10 SP4 i586

Novell SUSE 2012:8094 java-1_6_0-ibm security update for SLES 10 SP4 x86_64


Last Updated: 27 May 2016 10:57:58