[MarkLogic Dev General] Is MarkLogic susceptible to the hash collision attack?

David Lee dlee at calldei.com
Tue Jan 3 08:23:29 PST 2012 

From the details of the report it looks like you need to know details of the hashcode. Implementation as well as the hash table code, if in fact a hashtable is used.
Very unlikely the same exact exploit would work across systems.
Also I'm very skeptical ...  Even a badly written hashtable shouldn't perform as bad as indicated with only thousands of collisions.... 90 seconds of CPU for a few thousand entries ??? 


Sent from my iPad (excuse the terseness) 
David A Lee
dlee at calldei.com

On Jan 3, 2012, at 11:12 AM, Geert Josten <geert.josten at dayon.nl> wrote:

> Ryan,
>  
> Do you recall there was any mentioning of Apache HTTPD by any chance?
>  
> Kind regards,
> Geert
>  
> Van: general-bounces at developer.marklogic.com [mailto:general-bounces at developer.marklogic.com] Namens semerau at hotmail.com
> Verzonden: dinsdag 3 januari 2012 16:56
> Aan: general at developer.marklogic.com
> Onderwerp: Re: [MarkLogic Dev General] Is MarkLogic susceptible to the hash collision attack?
>  
> I haven't been able to produce this problem on a MarkLogic instance. My concerns have been assuaged about it for MarkLogic.
> 
> From: geert.josten at dayon.nl
> Date: Tue, 3 Jan 2012 15:54:47 +0100
> To: general at developer.marklogic.com
> Subject: Re: [MarkLogic Dev General] Is MarkLogic susceptible to the hash collision attack?
> 
> Hi Ryan,
>  
> Have you tried? (at home preferably ;)
>  
> Kind regards,
> Geert
>  
> Van: general-bounces at developer.marklogic.com [mailto:general-bounces at developer.marklogic.com] Namens semerau at hotmail.com
> Verzonden: donderdag 29 december 2011 18:16
> Aan: general at developer.marklogic.com
> Onderwerp: [MarkLogic Dev General] Is MarkLogic susceptible to the hash collision attack?
>  
> Quote:
> 
> Researchers have shown how a flaw that is common to most popular Web programming languages can be used to launch denial-of-service attacks by exploiting hash tables. Announced publicly on Wednesday at the Chaos Communication Congress event in Germany, the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google's open source JavaScript engine V8. The vendors and developers behind these technologies are working to close the vulnerability, with Microsoft warning of "imminent public release of exploit code" for what is known as a hash collision attack.
> 
> ...
> 
> "Hash tables are a commonly used data structure in most programming languages," they explained. "Web application servers or platforms commonly parse attacker-controlled POST form data into hash tables automatically, so that they can be accessed by application developers. If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request."
> 
> more-> http://arstechnica.com/business/news/2011/12/huge-portions-of-web-vulnerable-to-hashing-denial-of-service-attack.ars
> 
> Seems to be a big deal with a lot of servers. Is MarkLogic affected?
> 
> thanks,
> Ryan
> 
> _______________________________________________ General mailing list General at developer.marklogic.com http://developer.marklogic.com/mailman/listinfo/general
> _______________________________________________
> General mailing list
> General at developer.marklogic.com
> http://developer.marklogic.com/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20120103/5259441f/attachment-0001.html

More information about the General mailing list