CVE-2012-5370 — JRuby denial of service via Hash Collision

Description

JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

How to fix CVE-2012-5370

To remediate CVE-2012-5370, upgrade the affected package to a fixed version below.

Debian/jruby—upgrade to 1.5.6-5 or later
—upgrade to 1.7.1 or later

Is CVE-2012-5370 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.5.6-5
from 0, < 1.7.1

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-5370
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-5370
WEBjruby.org/2012/12/03/jruby-1-7-1
WEBrhn.redhat.com/errata/RHSA-2013-0533.html
WEB