ID CVE-2012-2328
Summary internal/cimxml/sax/NodeFactory.java in Standards-Based Linux Instrumentation for Manageability (SBLIM) Common Information Model (CIM) Client (aka sblim-cim-client2) before 2.1.12 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML file.
References
Vulnerable Configurations
  • cpe:2.3:a:standards_based_linux_instrumentation_project:standards-based_linux_common_information_model_client:2.1.11:*:*:*:*:*:*:*
    cpe:2.3:a:standards_based_linux_instrumentation_project:standards-based_linux_common_information_model_client:2.1.11:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
  • cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
    cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 30-10-2018 - 16:27)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 819733
title CVE-2012-2328 sblim: hash table collisions CPU usage DoS
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment sblim-cim-client2 is earlier than 0:2.1.3-2.el6
        oval oval:com.redhat.rhsa:tst:20120987005
      • comment sblim-cim-client2 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120987006
    • AND
      • comment sblim-cim-client2-javadoc is earlier than 0:2.1.3-2.el6
        oval oval:com.redhat.rhsa:tst:20120987009
      • comment sblim-cim-client2-javadoc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120987010
    • AND
      • comment sblim-cim-client2-manual is earlier than 0:2.1.3-2.el6
        oval oval:com.redhat.rhsa:tst:20120987007
      • comment sblim-cim-client2-manual is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20120987008
rhsa
id RHSA-2012:0987
released 2012-06-20
severity Low
title RHSA-2012:0987: sblim-cim-client2 security update (Low)
rpms
  • sblim-cim-client2-0:2.1.3-2.el6
  • sblim-cim-client2-javadoc-0:2.1.3-2.el6
  • sblim-cim-client2-manual-0:2.1.3-2.el6
refmap via4
confirm http://sourceforge.net/p/sblim/bugs/2381/
misc http://sblim.cvs.sourceforge.net/viewvc/sblim/jsr48-client/src/org/sblim/cimclient/internal/cimxml/sax/NodeFactory.java?view=log#rev1.7
suse
  • openSUSE-SU-2012:1621
  • openSUSE-SU-2013:0144
Last major update 30-10-2018 - 16:27
Published 10-02-2014 - 18:15
Back to Top