Hashing algorithm vulnerable to denial of service

Posted by Peter J. Jones on

It’s likely that the hashing algorithm in your favorite language is vulnerable to a denial of service attack. While Perl fixed this forever ago, other languages have been caught with their pants down:

… the flaw affects a long list of technologies, including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8. The vendors and developers behind these technologies are working to close the vulnerability, with Microsoft warning of “imminent public release of exploit code” for what is known as a hash collision attack.

There’s already a new release of Ruby that fixes the vulnerability, ruby 1.8.7-p357. Ruby 1.9.x is not vulnerable to this attack.

About the Author

Peter J. Jones has been a professional software engineer for over 20 years and is deeply passionate about helping programmers improve the skills of their craft. He is the author of Effective Ruby: 48 Specific Ways to Write Better Ruby. Peter can be reached through our contact page or his twitter account.