NVD Vulnerability Detail

CVE-2011-5035

Summary	Oracle Glassfish 2.1.1, 3.0.1, and 3.1.1, as used in Communications Server 2.0, Sun Java System Application Server 8.1 and 8.2, and possibly other products, computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters, aka Oracle security ticket S0104869.
Publication Date	Dec. 30, 2011, 10:55 a.m.
Registration Date	Jan. 28, 2021, 4:40 p.m.
Last Update	Nov. 21, 2024, 10:33 a.m.

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	なし
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:oracle:glassfish_server::::::::		3.1.1
cpe:2.3:a:oracle:glassfish_server:2.1.1:::::::*
cpe:2.3:a:oracle:glassfish_server:3.0.1:::::::*

Related information, measures and tools

No	URL	タグ
1	http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
2	http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html
3	http://marc.info/?l=bugtraq&m=133364885411663&w=2
4	http://marc.info/?l=bugtraq&m=133364885411663&w=2
5	http://marc.info/?l=bugtraq&m=133847939902305&w=2
6	http://marc.info/?l=bugtraq&m=133847939902305&w=2
7	http://marc.info/?l=bugtraq&m=134254866602253&w=2
8	http://marc.info/?l=bugtraq&m=134254957702612&w=2
9	http://marc.info/?l=bugtraq&m=134254957702612&w=2
10	http://marc.info/?l=bugtraq&m=139344343412337&w=2
11	http://rhn.redhat.com/errata/RHSA-2012-0514.html
12	http://rhn.redhat.com/errata/RHSA-2013-1455.html
13	http://secunia.com/advisories/48073
14	http://secunia.com/advisories/48074
15	http://secunia.com/advisories/48589
16	http://secunia.com/advisories/48950
17	http://secunia.com/advisories/57126
18	http://security.gentoo.org/glsa/glsa-201406-32.xml
19	http://www.debian.org/security/2012/dsa-2420
20	http://www.kb.cert.org/vuls/id/903934	US Government Resource
21	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
22	http://www.nruns.com/_downloads/advisory28122011.pdf
23	http://www.ocert.org/advisories/ocert-2011-003.html
24	http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
25	http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
26	http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
27	https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
28	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16908
29	http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
30	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16908
31	https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py
32	http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
33	http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
34	http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
35	http://www.ocert.org/advisories/ocert-2011-003.html
36	http://www.nruns.com/_downloads/advisory28122011.pdf
37	http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
38	http://www.kb.cert.org/vuls/id/903934	US Government Resource
39	http://www.debian.org/security/2012/dsa-2420
40	http://security.gentoo.org/glsa/glsa-201406-32.xml
41	http://secunia.com/advisories/57126
42	http://secunia.com/advisories/48950
43	http://secunia.com/advisories/48589
44	http://secunia.com/advisories/48074
45	http://secunia.com/advisories/48073
46	http://rhn.redhat.com/errata/RHSA-2013-1455.html
47	http://rhn.redhat.com/errata/RHSA-2012-0514.html
48	http://marc.info/?l=bugtraq&m=139344343412337&w=2
49	http://marc.info/?l=bugtraq&m=134254957702612&w=2
50	http://marc.info/?l=bugtraq&m=134254957702612&w=2
51	http://marc.info/?l=bugtraq&m=134254866602253&w=2
52	http://marc.info/?l=bugtraq&m=133847939902305&w=2
53	http://marc.info/?l=bugtraq&m=133847939902305&w=2
54	http://marc.info/?l=bugtraq&m=133364885411663&w=2
55	http://marc.info/?l=bugtraq&m=133364885411663&w=2
56	http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

Oracle Glassfish におけるサービス運用妨害 (CPU 資源の消費) の脆弱性

Title	Oracle Glassfish におけるサービス運用妨害 (CPU 資源の消費) の脆弱性
Summary	Oracle Glassfish は、ハッシュ衝突を想定した制限を行わずにフォームパラメータのハッシュ値を算出するため、サービス運用妨害 (CPU 資源の消費) 状態となる脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工されたパラメータを大量に送信されることで、サービス運用妨害 (CPU 資源の消費) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Dec. 30, 2011, midnight
Registration Date	Jan. 4, 2012, 4:47 p.m.
Last Update	March 6, 2015, 4:31 p.m.

Affected System

ヒューレット・パッカード

HP XP P9000 Performance Advisor ソフトウェア 5.4.1 およびそれ以前

オラクル

Java System Web Server 6.1

Oracle Application Server 10g R3 (10.1.3.5.0)

Oracle Communications Server 2.0

Oracle GlassFish Server 2.1.1

Oracle GlassFish Server 3.0.1

Oracle GlassFish Server 3.1.1

Oracle iPlanet Web Server 7.0

Oracle JRockit 27.7.1 およびそれ以前

Oracle JRockit 28.2.2 およびそれ以前

Oracle Sun Java System Application Server 8.1

Oracle Sun Java System Application Server 8.2

Oracle WebLogic Server 10.0.2

Oracle WebLogic Server 11gR1 (10.3.3、10.3.4、10.3.5)

Oracle WebLogic Server 12cR1 (12.1.1)

Oracle WebLogic Server 9.2.4

アップル

Apple Mac OS X v10.6.8

Apple Mac OS X v10.7.3

Apple Mac OS X Server v10.6.8

Apple Mac OS X Server v10.7.3

富士通

Internet Navigware Server

Interstage Application Development Cycle Manager

Interstage Application Framework Suite

Interstage Application Server

Interstage Application Server Plus Developer / Apworks / Studio

Interstage Business Application Server

Interstage Form Coordinator Workflow

Interstage Job Workload Server

Interstage List Manager

Interstage List Works

Interstage Service Integrator

Interstage Shunsaku Data Manager

Interstage Web Server

Interstage XML Business Activity Recorder

ServerView Resource Orchestrator Cloud Edition

SUCCESS SERVER

Systemwalker Availability View

Systemwalker Desktop Inspection

Systemwalker IT Change Manager

Systemwalker IT Process Master

Systemwalker Operation Manager

Systemwalker Runbook Automation

Systemwalker Service Catalog Manager

Systemwalker Service Quality Coordinator

Systemwalker Software Configuration Manager

日立

Cosminexus Application Server Enterprise Version 6

Cosminexus Application Server Standard Version 6

Cosminexus Application Server Version 5

Cosminexus Client Version 6

Cosminexus Developer Light Version 6

Cosminexus Developer Professional Version 6

Cosminexus Developer Standard Version 6

Cosminexus Developer Version 5

Cosminexus Developer's Kit for Java(TM)

Cosminexus Primary Server Base

Cosminexus Server - Standard Edition Version 4

Cosminexus Server - Web Edition Version 4

Cosminexus Studio - Standard Edition Version 4

Cosminexus Studio - Web Edition Version 4

Cosminexus Studio Version 5

HiRDB for Java(TM)/XML

Hitachi Developer's Kit for Java

Processing Kit for XML

uCosminexus Application Server Enterprise

uCosminexus Application Server Express

uCosminexus Application Server Light

uCosminexus Application Server Smart Edition

uCosminexus Application Server Standard

uCosminexus Application Server Standard-R

uCosminexus Client

uCosminexus Client for Plug-in

uCosminexus Developer 01

uCosminexus Developer Light

uCosminexus Developer Professional

uCosminexus Developer Professional for Plug-in

uCosminexus Developer Standard

uCosminexus Operator

uCosminexus Portal Framework エントリセット

uCosminexus Primary Server Base

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform - Messaging

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-5035	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5035
National Vulnerability Database (NVD)
2	CVE-2011-5035	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5035

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apple Security Updates
1	HT5228	http://support.apple.com/kb/HT5228
Apple セキュリティアップデート
2	HT1338	http://support.apple.com/kb/HT1338?viewlocale=ja_JP
3	HT5228	http://support.apple.com/kb/HT5228?viewlocale=ja_JP
Hitachi Software Vulnerability Information
4	HS12-007	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-007/index.html
HP Security Bulletin
5	HPSBST02955 SSRT101157	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04047415
Oracle Critical Patch Update
6	Oracle Critical Patch Update Advisory - April 2012	http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
7	Oracle Critical Patch Update Advisory - January 2012	http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
8	Oracle Critical Patch Update Advisory - January 2013	http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
9	Text Form of Oracle Critical Patch Update - January 2013 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2013verbose-1897756.html
Oracle Security Alert
10	Oracle Security Alert for CVE-2011-5035	http://www.oracle.com/technetwork/topics/security/alert-cve-2011-5035-1506603.html
Red Hat Security Advisory
11	RHSA-2013:1455	http://rhn.redhat.com/errata/RHSA-2013-1455.html
SECURITY BLOG
12	January 2012 Critical Patch Update Released	http://blogs.oracle.com/security/entry/january_2012_critical_patch_update
13	January 2013 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2013_critical_patch_update
サポート技術情報
14	interstage_as_201201	http://software.fujitsu.com/jp/security/products-fujitsu/solution/interstage_as_201201.html
ソフトウェア製品セキュリティ情報
15	HS12-007	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS12-007/index.html

その他

No	Name	URL
IPA 緊急対策情報
1	20120106-web	http://www.ipa.go.jp/security/ciadr/vul/20120106-web.html
JVN
2	JVNVU#514315	http://jvn.jp/cert/JVNVU514315/
3	JVNVU#903934	http://jvn.jp/cert/JVNVU903934
US-CERT Vulnerability Note
4	VU#903934	http://www.kb.cert.org/vuls/id/903934

Change Log

No	Changed Details	Date of change
0	[2012年01月04日] 掲載 [2012年01月17日] 影響を受けるシステム：富士通 (interstage_as_201201) の情報を追加ベンダ情報：富士通 (interstage_as_201201) を追加 [2012年01月18日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - January 2012) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2012) を追加ベンダ情報：オラクル (January 2012 Critical Patch Update Released) を追加 [2012年02月06日] 影響を受けるシステム：オラクル (alert-cve-2011-5035-1506603) の情報を追加ベンダ情報：オラクル (alert-cve-2011-5035-1506603) を追加 [2012年02月21日] 影響を受けるシステム：日立 (HS12-007) の情報を追加ベンダ情報：日立 (HS12-007) を追加 [2012年03月27日] 影響を受けるシステム：富士通 (interstage_as_201201) の情報を更新 [2012年04月05日] 影響を受けるシステム：アップル (HT5228) の情報を追加ベンダ情報：アップル (HT5228) を追加 [2012年04月13日] ベンダ情報：アップル (HT1338) を追加 [2012年05月14日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - April 2012) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - April 2012) を追加 [2013年01月25日] ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2013) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2013 Risk Matrices) を追加ベンダ情報：オラクル (January 2013 Critical Patch Update Released) を追加 [2015年03月06日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：ヒューレット・パッカード (HPSBST02955 SSRT101157) を追加ベンダ情報：レッドハット (RHSA-2013:1455) を追加	Feb. 17, 2018, 10:37 a.m.