[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AdaCore Security Advisory SA-2012-L119-003 Hash collisions in AWS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AdaCore Security Advisory SA-2012-L119-003 Hash collisions in AWS
From: Thomas Quinot <quinot@xxxxxxxxxxx>
Date: Fri, 27 Jan 2012 16:45:31 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AdaCore Security Advisory
=========================

SA-2012-L119-003 Hash collisions in AWS

  Problem:    Impacted versions of AWS store key/value pairs from submitted
              form data in hash tables using a hash function that has
              predictable collisions. As a result, a single specially crafted
              HTTP request can cause the server to use hours of CPU time,
              thus causing a denial of service.

  Impact:     All AWS releases and wavefronts prior to 2012-01-21

  Status:     This was fixed in AWS 2.11 and 2.10.2 on 2012-01-21

  References: n.runs-SA-2011.004
              http://www.nruns.com/_downloads/advisory28122011.pdf

              Effective Denial of Service attacks against
              web application platforms :: AWS round 
              
http://ogrod2.blogspot.com/2012/01/28c3-effective-denial-of-service.html

              AWS
              
http://www.adacore.com/home/products/gnatpro/add-on_technologies/web_technologies
              http://forge.open-do.org/projects/aws/

  History:    2012-01-27 First published

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk8iwlEACgkQK8Lr/hUfADYemQCdHUyHQWMRikkF2XO0n1KSINCt
NbYAoMyczgLV2Bt+aok73Cp90A8tBmEe
=XT3i
-----END PGP SIGNATURE-----

Prev by Date: [ GLSA 201201-15 ] ktsuss: Privilege escalation
Next by Date: [SECURITY] [DSA 2395-1] wireshark security update
Previous by thread: [ GLSA 201201-15 ] ktsuss: Privilege escalation
Next by thread: [SECURITY] [DSA 2395-1] wireshark security update
Index(es):
- Date
- Thread