Julian Waelde

**Name of the Vulnerable Software and Affected Versions** OCaml versions 3.12.1 and earlier **Description** The issue allows context-dependent attackers to cause a denial of service, specifically CPU consumption, by providing crafted input to an application that uses hash tables. This is possible because OCaml computes hash values without properly restricting the ability to predictably trigger hash collisions. **Recommendations** For versions 3.12.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.1.3 and earlier **Description** The issue allows remote attackers to cause a denial of service by sending many crafted parameters, resulting in CPU consumption due to hash collisions. **Recommendations** For Plone versions 4.1.3 and earlier, update to a version later than 4.1.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JRuby versions prior to 1.6.5.1 **Description** The issue allows context-dependent attackers to cause a denial of service, specifically CPU consumption, via crafted input to an application that maintains a hash table. This is due to the computation of hash values without restricting the ability to trigger hash collisions predictably. **Recommendations** For versions prior to 1.6.5.1, update to version 1.6.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 1.1.3 Rack versions 1.2.x prior to 1.2.5 Rack versions 1.3.x prior to 1.3.6 **Description** The issue allows remote attackers to cause a denial of service by sending many crafted parameters, resulting in CPU consumption due to hash collisions. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later. For versions 1.2.x prior to 1.2.5, update to version 1.2.5 or later. For versions 1.3.x prior to 1.3.6, update to version 1.3.6 or later.

**Name of the Vulnerable Software and Affected Versions** Google V8 (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service by sending many crafted parameters, resulting in CPU consumption. This is demonstrated by attacks against Node.js, where hash collisions can be triggered predictably due to the lack of restriction in computing hash values for form parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Glassfish versions 2.1.1 through 3.1.1 **Description** The issue allows remote attackers to cause a denial of service by sending many crafted parameters, resulting in CPU consumption. This is due to the computation of hash values for form parameters without restricting the ability to trigger hash collisions predictably. **Recommendations** For Oracle Glassfish versions 2.1.1 through 3.1.1, consider restricting the ability to send many crafted parameters to prevent denial of service attacks. As a temporary workaround, consider implementing measures to limit CPU consumption when handling form parameters. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jetty versions 8.1.0.RC2 and earlier **Description** The issue allows remote attackers to cause a denial of service by sending many crafted parameters, resulting in CPU consumption due to hash collisions. **Recommendations** For Jetty versions 8.1.0.RC2 and earlier, consider updating to a version that addresses this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 1.8.7-p357 **Description** The issue allows context-dependent attackers to cause a denial of service, specifically CPU consumption, by providing crafted input to an application that maintains a hash table, thus triggering hash collisions predictably. **Recommendations** For versions prior to 1.8.7-p357, update to version 1.8.7-p357 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Microsoft .NET Framework versions 1.1 SP1 through 4.0 **Description** A denial of service issue exists due to the way ASP.NET Framework handles specially crafted requests, causing a hash collision. This allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. An attacker who successfully exploited this issue could send a small number of specially crafted requests to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. **Recommendations** For Microsoft .NET Framework versions 1.1 SP1 through 4.0, consider restricting the ability to trigger hash collisions predictably in the CaseInsensitiveHashProvider.getHashCode function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.