Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 361316

Summary: DoS attack from similar hash values
Product: [RT] Jetty Reporter: Greg Wilkins <gregw>
Component: serverAssignee: Jan Bartel <janb>
Status: CLOSED FIXED QA Contact:
Severity: critical    
Priority: P3 CC: david_williams, glyn.normington, gregw, jesse.mcconnell, jetty-inbox, john.arthorne, stephen.francisco, wayne.beaton
Version: 7.5.2Keywords: security
Target Milestone: 7.5.x   
Hardware: PC   
OS: Linux   
See Also: https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638
Whiteboard:

Description Greg Wilkins CLA 2011-10-18 19:41:48 EDT 
Andrea Barisani lcars@ocert.org via webtide.com 

Hi,

oCERT recently received a report concerning a Denial Of Service condition which
can be triggered exploiting predictable collisions in hashing algorithms.

The issue is extremely similar to the one reported in 2003 in the paper "Denial
of Service via Algorithmic Complexity Attacks" [1] which was affecting the Perl
language.

In this newly reported scenario exploits multi collisions in hashing functions
of PHP/Java/Python in order to cause a DoS against the storage of key/value
pairs in CGI (POST) parameters.

As an example it has been reported that the attack can amplify 2 MB worth of
specially crafted parameters leading to a 100% of CPU usage which can last from
5 to several hours, depending on the targeted application and server
performance.

Your project Jetty has been reported as vulnerable to such condition and we
can provide you a PoC, if requested, which illustrates the issue. The test
case is created by posting several parameter keys which map to the same hash
code, triggering a large amount of CPU usage and hence causing a DoS
condition.

While we are currently discussing potential fixes in the underlying languages
hash algorithms in order to deal with this scenario we anticipate that in any
case the applications would have to be patched in order to effectively prevent
this possibility. As a language-level fix is still under discussion, and less
likely to be implemented by the respective maintainers, we would favour a fix
at the application-level for the time being.

On Java based applications moving away from HashMap/Hashtable in favour of
TreeMap is reportedly an effective solution.

For applications based on other languages move to a datastructure equivalent to
TreeMap or the implementation of a detection function for an anomalous number
of collisions per bucket would be necessary.

IMPORTANT: The embargo date for this issue has been set to December 27th per
request of the reports (who are going to present a talk regarding this attack
at the CCC event). We would ask you not to release publicly information about
the discussed issue before the specific date.

We would like to coordinate the release of a patch and/or new version of your
project at embargo expiration, it would be beneficial to publish an advisory
referencing the fixed versions when the embargo date is reached.

Please let us know if you have any questions or need any clarifications about
this report and how you would like to go forward.

I am cc'ing the original authors (which will be eventually credited in the
advisory) Alexander Klink <alexander.klink@nruns.com> and Julian Waelde
<jwaelde@cdc.informatik.tu-darmstadt.de>

We are separately contacting the other affected vendors.

Thanks a lot.

References:
[1] http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf
Comment 1 Greg Wilkins CLA 2011-10-18 19:42:55 EDT 
Andrea,

Thanks for the report.

Note that with Jetty, by default we limit the form content to be 8K in the URI and 200K in body content.
Can you advise if the CPU usage grows linearly or greater with the size of the form?  ie is a limited form size a moderate initial defence?

Could you provide a list (or generator) of example keys that hash to the same value so that we may perform our own testing of impacts.  We understand that such a list should not be widely distributed, but anybody with knowledge of this attack could generate such a list without much effort.

Note also, that I would assume similar attacks can be mounted on HTTP headers and Cookies, although the later two are also size limited.  Knowing the performance curve against size would be very good.

I would also expect that many applications might also be vulnerable, specially ones that use JSON (or similar) to parse user supplied data into Maps of Maps.   I would suggest that you raise this issue with the commonly supplied JSON libraries as well.

Do you yet have any idea of what approach could possibly be implemented in the JVM to alleviate this? Would runtime selection of some random element to the hash algorithm be sufficient (although long running applications would be vulnerable to having the "frequency of their shields" discovered by the Klingons).
Comment 2 Greg Wilkins CLA 2012-01-10 19:29:30 EST 
We have implemented a maxFormKeys configuration (default 1000) on the ContextHandler, which reduces the number of keys that can be added to the map, and thus reduces the impact of bad keys.  The testing we did shows that severe non-linear impacts only occur after approx 10000 keys.

The Multipart filter has been similarly updated.

The jetty-8 servlet 3.0 multipart handling needs to be updated
Comment 3 Greg Wilkins CLA 2012-01-10 19:32:34 EST 
*** Bug 367733 has been marked as a duplicate of this bug. ***
Comment 4 Greg Wilkins CLA 2012-01-10 19:45:52 EST 
See also https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638
Comment 5 Jan Bartel CLA 2012-01-11 00:38:14 EST 
Fixed for jetty-7.6.0.RC4 and jetty-8.1.0.RC4.
Comment 6 John Arthorne CLA 2012-01-11 11:42:25 EST 
I don't see the difference between this bug and bug 367638. Are you talking about the same fix in both cases (maxFormKeys)?
Comment 7 John Arthorne CLA 2012-01-11 15:38:53 EST 
Also, is there any workaround we can do on the Equinox side for Indigo stream where we are using an old Jetty 6? Or would you need to expose the same configurable property (and default upper bound) there first?
Comment 8 Wayne Beaton CLA 2012-02-05 13:29:50 EST 
Is it time to turn off the "committer-only" flag?
Comment 9 Wayne Beaton CLA 2012-03-22 10:20:55 EDT 
(In reply to comment #8)
> Is it time to turn off the "committer-only" flag?

Ping?
Comment 10 Jesse McConnell CLA 2012-03-22 10:30:27 EDT 
why does the same bug have so many instances...I cleared that flag on the other one a while back, didn't realize this one was here.