Bug#653964: glassfish predictable hash collisions

Thijs Kinkhorst thijs at debian.org
Mon Jan 2 09:40:12 UTC 2012


On Mon, January 2, 2012 09:56, Torsten Werner wrote:
> Hi,
>
> On Sun, Jan 1, 2012 at 11:53 PM, Thijs Kinkhorst <thijs at debian.org> wrote:
>> It was reported that Glassfish is affected by the predictable hash
>> collisions
>> attack that made its rounds around the net this week. This is tracked at
>> http://security-tracker.debian.org/tracker/CVE-2011-5035
>
> I do not think that we are vulnerable because Debian does not ship a
> full glassfish stack. We build some core libs only.

Perhaps that depends on whether the affected function is in those libs and
hence exposed in some way to outside-facing services.

>> Can you ensure that fixed packages are uploaded to sid as soon as
>> possible,
>> and assert whether a fix for lenny and squeeze would be necessary?
>
> I do not even understand how to reproduce the issue. May you elaborate
> on that, please?

It's a generic vulnerability. More details on that are in here:
http://www.kb.cert.org/vuls/id/903934
I do not immediately know how this relates to Glassfish specifically, but
in the general case it boils down to doing a crafted request which
exploits complexity in the implementation such that all processing power
is consumed by dealing with the request.

For the specific case, there's apparently "Oracle security ticket
S0104869", but I don't know how to access that. Ocert says: "Oracle
reports that the issue is fixed in the main codeline and scheduled for a
future CPU".

Does this help you a bit?


Thijs





More information about the pkg-java-maintainers mailing list