Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2012-0876

Uncontrolled Resource Consumption

Published: Jul 03, 2012 | Modified: Aug 05, 2022
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:N/A:P
RedHat/V2
5 MODERATE
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2012-0876
CWEhttps://cwe.mitre.org/data/definitions/400.html

The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.

Weakness

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Affected Software

Name Vendor Start Version End Version
Libexpat Libexpat_project * 2.1.0 (excluding)
Red Hat Enterprise Linux 5 RedHat expat-0:1.95.8-11.el5_8 *
Red Hat Enterprise Linux 6 RedHat expat-0:2.0.1-11.el6_2 *
Red Hat JBoss Core Services 1 RedHat *
Red Hat JBoss Enterprise Application Platform 6.4 RedHat *
Red Hat JBoss Web Server 2.1 RedHat expat *
Audacity Ubuntu hardy *
Audacity Ubuntu kinetic *
Audacity Ubuntu lucid *
Audacity Ubuntu lunar *
Audacity Ubuntu mantic *
Audacity Ubuntu maverick *
Audacity Ubuntu natty *
Audacity Ubuntu oneiric *
Audacity Ubuntu quantal *
Audacity Ubuntu raring *
Audacity Ubuntu saucy *
Audacity Ubuntu utopic *
Audacity Ubuntu vivid *
Ayttm Ubuntu esm-apps/xenial *
Ayttm Ubuntu hardy *
Ayttm Ubuntu lucid *
Ayttm Ubuntu maverick *
Ayttm Ubuntu natty *
Ayttm Ubuntu oneiric *
Ayttm Ubuntu precise *
Ayttm Ubuntu quantal *
Ayttm Ubuntu raring *
Ayttm Ubuntu saucy *
Ayttm Ubuntu trusty *
Ayttm Ubuntu utopic *
Ayttm Ubuntu vivid *
Ayttm Ubuntu wily *
Ayttm Ubuntu xenial *
Ayttm Ubuntu yakkety *
Cableswig Ubuntu esm-apps/xenial *
Cableswig Ubuntu hardy *
Cableswig Ubuntu lucid *
Cableswig Ubuntu maverick *
Cableswig Ubuntu natty *
Cableswig Ubuntu oneiric *
Cableswig Ubuntu precise *
Cableswig Ubuntu quantal *
Cableswig Ubuntu raring *
Cableswig Ubuntu saucy *
Cableswig Ubuntu trusty *
Cableswig Ubuntu utopic *
Cableswig Ubuntu vivid *
Cableswig Ubuntu wily *
Cableswig Ubuntu xenial *
Cadaver Ubuntu artful *
Cadaver Ubuntu bionic *
Cadaver Ubuntu cosmic *
Cadaver Ubuntu devel *
Cadaver Ubuntu disco *
Cadaver Ubuntu eoan *
Cadaver Ubuntu esm-apps/bionic *
Cadaver Ubuntu esm-apps/focal *
Cadaver Ubuntu esm-apps/jammy *
Cadaver Ubuntu esm-apps/noble *
Cadaver Ubuntu esm-apps/xenial *
Cadaver Ubuntu focal *
Cadaver Ubuntu groovy *
Cadaver Ubuntu hardy *
Cadaver Ubuntu hirsute *
Cadaver Ubuntu impish *
Cadaver Ubuntu jammy *
Cadaver Ubuntu kinetic *
Cadaver Ubuntu lucid *
Cadaver Ubuntu lunar *
Cadaver Ubuntu mantic *
Cadaver Ubuntu maverick *
Cadaver Ubuntu natty *
Cadaver Ubuntu noble *
Cadaver Ubuntu oneiric *
Cadaver Ubuntu oracular *
Cadaver Ubuntu precise *
Cadaver Ubuntu quantal *
Cadaver Ubuntu raring *
Cadaver Ubuntu saucy *
Cadaver Ubuntu trusty *
Cadaver Ubuntu utopic *
Cadaver Ubuntu vivid *
Cadaver Ubuntu wily *
Cadaver Ubuntu xenial *
Cadaver Ubuntu yakkety *
Cadaver Ubuntu zesty *
Cmake Ubuntu hardy *
Coin3 Ubuntu artful *
Coin3 Ubuntu bionic *
Coin3 Ubuntu cosmic *
Coin3 Ubuntu esm-apps/bionic *
Coin3 Ubuntu esm-apps/xenial *
Coin3 Ubuntu esm-infra-legacy/trusty *
Coin3 Ubuntu lucid *
Coin3 Ubuntu maverick *
Coin3 Ubuntu natty *
Coin3 Ubuntu oneiric *
Coin3 Ubuntu precise *
Coin3 Ubuntu quantal *
Coin3 Ubuntu raring *
Coin3 Ubuntu saucy *
Coin3 Ubuntu trusty *
Coin3 Ubuntu trusty/esm *
Coin3 Ubuntu utopic *
Coin3 Ubuntu vivid *
Coin3 Ubuntu wily *
Coin3 Ubuntu xenial *
Coin3 Ubuntu yakkety *
Coin3 Ubuntu zesty *
Expat Ubuntu hardy *
Expat Ubuntu lucid *
Expat Ubuntu maverick *
Expat Ubuntu natty *
Expat Ubuntu oneiric *
Expat Ubuntu precise *
Expat Ubuntu upstream *
Gdcm Ubuntu lucid *
Gdcm Ubuntu maverick *
Gdcm Ubuntu natty *
Gdcm Ubuntu oneiric *
Gdcm Ubuntu quantal *
Gdcm Ubuntu raring *
Gdcm Ubuntu saucy *
Gdcm Ubuntu utopic *
Gdcm Ubuntu vivid *
Grmonitor Ubuntu hardy *
Insighttoolkit Ubuntu esm-apps/xenial *
Insighttoolkit Ubuntu hardy *
Insighttoolkit Ubuntu lucid *
Insighttoolkit Ubuntu maverick *
Insighttoolkit Ubuntu natty *
Insighttoolkit Ubuntu oneiric *
Insighttoolkit Ubuntu precise *
Insighttoolkit Ubuntu quantal *
Insighttoolkit Ubuntu raring *
Insighttoolkit Ubuntu saucy *
Insighttoolkit Ubuntu trusty *
Insighttoolkit Ubuntu utopic *
Insighttoolkit Ubuntu vivid *
Insighttoolkit Ubuntu wily *
Insighttoolkit Ubuntu xenial *
Kompozer Ubuntu hardy *
Kompozer Ubuntu lucid *
Kompozer Ubuntu maverick *
Kompozer Ubuntu natty *
Kompozer Ubuntu oneiric *
Kompozer Ubuntu precise *
Libparagui1.1 Ubuntu hardy *
Libparagui1.1 Ubuntu lucid *
Libparagui1.1 Ubuntu maverick *
Libparagui1.1 Ubuntu natty *
Libparagui1.1 Ubuntu oneiric *
Libparagui1.1 Ubuntu precise *
Libxmltok Ubuntu hirsute *
Libxmltok Ubuntu trusty *
Libxmltok Ubuntu xenial *
Matanza Ubuntu artful *
Matanza Ubuntu bionic *
Matanza Ubuntu cosmic *
Matanza Ubuntu devel *
Matanza Ubuntu disco *
Matanza Ubuntu eoan *
Matanza Ubuntu esm-apps/bionic *
Matanza Ubuntu esm-apps/focal *
Matanza Ubuntu esm-apps/jammy *
Matanza Ubuntu esm-apps/noble *
Matanza Ubuntu esm-apps/xenial *
Matanza Ubuntu focal *
Matanza Ubuntu groovy *
Matanza Ubuntu hardy *
Matanza Ubuntu hirsute *
Matanza Ubuntu impish *
Matanza Ubuntu jammy *
Matanza Ubuntu kinetic *
Matanza Ubuntu lucid *
Matanza Ubuntu lunar *
Matanza Ubuntu mantic *
Matanza Ubuntu maverick *
Matanza Ubuntu natty *
Matanza Ubuntu noble *
Matanza Ubuntu oneiric *
Matanza Ubuntu oracular *
Matanza Ubuntu precise *
Matanza Ubuntu quantal *
Matanza Ubuntu raring *
Matanza Ubuntu saucy *
Matanza Ubuntu trusty *
Matanza Ubuntu utopic *
Matanza Ubuntu vivid *
Matanza Ubuntu wily *
Matanza Ubuntu xenial *
Matanza Ubuntu yakkety *
Matanza Ubuntu zesty *
Paraview Ubuntu lucid *
Paraview Ubuntu maverick *
Paraview Ubuntu natty *
Paraview Ubuntu oneiric *
Paraview Ubuntu quantal *
Paraview Ubuntu raring *
Paraview Ubuntu saucy *
Paraview Ubuntu utopic *
Paraview Ubuntu vivid *
Poco Ubuntu hardy *
Poco Ubuntu lucid *
Poco Ubuntu maverick *
Poco Ubuntu natty *
Poco Ubuntu oneiric *
Poco Ubuntu quantal *
Poco Ubuntu raring *
Poco Ubuntu saucy *
Poco Ubuntu utopic *
Poco Ubuntu vivid *
Python-xml Ubuntu hardy *
Python2.4 Ubuntu hardy *
Python2.5 Ubuntu hardy *
Simgear Ubuntu hardy *
Simgear Ubuntu lucid *
Simgear Ubuntu maverick *
Simgear Ubuntu natty *
Simgear Ubuntu oneiric *
Simgear Ubuntu precise *
Simgear Ubuntu quantal *
Simgear Ubuntu raring *
Simgear Ubuntu saucy *
Simgear Ubuntu utopic *
Simgear Ubuntu vivid *
Sitecopy Ubuntu artful *
Sitecopy Ubuntu hardy *
Sitecopy Ubuntu lucid *
Sitecopy Ubuntu maverick *
Sitecopy Ubuntu natty *
Sitecopy Ubuntu oneiric *
Sitecopy Ubuntu precise *
Sitecopy Ubuntu quantal *
Sitecopy Ubuntu raring *
Sitecopy Ubuntu saucy *
Sitecopy Ubuntu trusty *
Sitecopy Ubuntu utopic *
Sitecopy Ubuntu vivid *
Sitecopy Ubuntu wily *
Sitecopy Ubuntu yakkety *
Sitecopy Ubuntu zesty *
Swish-e Ubuntu artful *
Swish-e Ubuntu bionic *
Swish-e Ubuntu cosmic *
Swish-e Ubuntu devel *
Swish-e Ubuntu disco *
Swish-e Ubuntu eoan *
Swish-e Ubuntu esm-apps/bionic *
Swish-e Ubuntu esm-apps/focal *
Swish-e Ubuntu esm-apps/jammy *
Swish-e Ubuntu esm-apps/noble *
Swish-e Ubuntu esm-apps/xenial *
Swish-e Ubuntu focal *
Swish-e Ubuntu groovy *
Swish-e Ubuntu hardy *
Swish-e Ubuntu hirsute *
Swish-e Ubuntu impish *
Swish-e Ubuntu jammy *
Swish-e Ubuntu kinetic *
Swish-e Ubuntu lucid *
Swish-e Ubuntu lunar *
Swish-e Ubuntu mantic *
Swish-e Ubuntu maverick *
Swish-e Ubuntu natty *
Swish-e Ubuntu noble *
Swish-e Ubuntu oneiric *
Swish-e Ubuntu oracular *
Swish-e Ubuntu precise *
Swish-e Ubuntu quantal *
Swish-e Ubuntu raring *
Swish-e Ubuntu saucy *
Swish-e Ubuntu trusty *
Swish-e Ubuntu utopic *
Swish-e Ubuntu vivid *
Swish-e Ubuntu wily *
Swish-e Ubuntu xenial *
Swish-e Ubuntu yakkety *
Swish-e Ubuntu zesty *
Tdom Ubuntu artful *
Tdom Ubuntu lucid *
Tdom Ubuntu maverick *
Tdom Ubuntu natty *
Tdom Ubuntu oneiric *
Tdom Ubuntu precise *
Tdom Ubuntu quantal *
Tdom Ubuntu raring *
Tdom Ubuntu saucy *
Tdom Ubuntu trusty *
Tdom Ubuntu utopic *
Tdom Ubuntu vivid *
Tdom Ubuntu wily *
Tdom Ubuntu yakkety *
Tdom Ubuntu zesty *
Tla Ubuntu artful *
Tla Ubuntu hardy *
Tla Ubuntu lucid *
Tla Ubuntu maverick *
Tla Ubuntu natty *
Tla Ubuntu oneiric *
Tla Ubuntu precise *
Tla Ubuntu quantal *
Tla Ubuntu raring *
Tla Ubuntu saucy *
Tla Ubuntu utopic *
Tla Ubuntu vivid *
Tla Ubuntu wily *
Tla Ubuntu yakkety *
Tla Ubuntu zesty *
Vnc4 Ubuntu artful *
Vnc4 Ubuntu bionic *
Vnc4 Ubuntu cosmic *
Vnc4 Ubuntu disco *
Vnc4 Ubuntu eoan *
Vnc4 Ubuntu esm-apps/bionic *
Vnc4 Ubuntu esm-apps/xenial *
Vnc4 Ubuntu esm-infra-legacy/trusty *
Vnc4 Ubuntu hardy *
Vnc4 Ubuntu lucid *
Vnc4 Ubuntu maverick *
Vnc4 Ubuntu natty *
Vnc4 Ubuntu oneiric *
Vnc4 Ubuntu precise *
Vnc4 Ubuntu quantal *
Vnc4 Ubuntu raring *
Vnc4 Ubuntu saucy *
Vnc4 Ubuntu trusty *
Vnc4 Ubuntu trusty/esm *
Vnc4 Ubuntu upstream *
Vnc4 Ubuntu utopic *
Vnc4 Ubuntu vivid *
Vnc4 Ubuntu wily *
Vnc4 Ubuntu xenial *
Vnc4 Ubuntu yakkety *
Vnc4 Ubuntu zesty *
Vtk Ubuntu hardy *
Vtk Ubuntu lucid *
Vtk Ubuntu maverick *
Vtk Ubuntu natty *
Vtk Ubuntu oneiric *
Vtk Ubuntu precise *
Vtk Ubuntu quantal *
Vtk Ubuntu raring *
Vtk Ubuntu saucy *
Vtk Ubuntu utopic *
Vtk Ubuntu vivid *
Vtk Ubuntu wily *
W3c-libwww Ubuntu hardy *
Wbxml2 Ubuntu artful *
Wbxml2 Ubuntu hardy *
Wbxml2 Ubuntu lucid *
Wbxml2 Ubuntu maverick *
Wbxml2 Ubuntu natty *
Wbxml2 Ubuntu oneiric *
Wbxml2 Ubuntu precise *
Wbxml2 Ubuntu quantal *
Wbxml2 Ubuntu raring *
Wbxml2 Ubuntu saucy *
Wbxml2 Ubuntu trusty *
Wbxml2 Ubuntu utopic *
Wbxml2 Ubuntu vivid *
Wbxml2 Ubuntu wily *
Wbxml2 Ubuntu yakkety *
Wbxml2 Ubuntu zesty *
Wxwidgets2.6 Ubuntu hardy *
Wxwidgets2.6 Ubuntu lucid *
Wxwidgets2.6 Ubuntu maverick *
Wxwidgets2.6 Ubuntu natty *
Wxwidgets2.6 Ubuntu oneiric *
Wxwidgets2.6 Ubuntu precise *
Wxwidgets2.8 Ubuntu hardy *
Wxwidgets2.8 Ubuntu lucid *
Wxwidgets2.8 Ubuntu maverick *
Wxwidgets2.8 Ubuntu natty *
Wxwidgets2.8 Ubuntu oneiric *
Wxwidgets2.8 Ubuntu precise *
Wxwidgets2.8 Ubuntu quantal *
Wxwidgets2.8 Ubuntu raring *
Wxwidgets2.8 Ubuntu saucy *
Wxwidgets2.8 Ubuntu utopic *
Wxwidgets2.8 Ubuntu vivid *
Wxwidgets2.8 Ubuntu wily *
Wxwindows2.4 Ubuntu hardy *
Xmlrpc-c Ubuntu artful *
Xmlrpc-c Ubuntu bionic *
Xmlrpc-c Ubuntu cosmic *
Xmlrpc-c Ubuntu devel *
Xmlrpc-c Ubuntu disco *
Xmlrpc-c Ubuntu eoan *
Xmlrpc-c Ubuntu focal *
Xmlrpc-c Ubuntu groovy *
Xmlrpc-c Ubuntu hardy *
Xmlrpc-c Ubuntu hirsute *
Xmlrpc-c Ubuntu impish *
Xmlrpc-c Ubuntu jammy *
Xmlrpc-c Ubuntu kinetic *
Xmlrpc-c Ubuntu lucid *
Xmlrpc-c Ubuntu lunar *
Xmlrpc-c Ubuntu mantic *
Xmlrpc-c Ubuntu maverick *
Xmlrpc-c Ubuntu natty *
Xmlrpc-c Ubuntu noble *
Xmlrpc-c Ubuntu oneiric *
Xmlrpc-c Ubuntu oracular *
Xmlrpc-c Ubuntu precise *
Xmlrpc-c Ubuntu quantal *
Xmlrpc-c Ubuntu raring *
Xmlrpc-c Ubuntu saucy *
Xmlrpc-c Ubuntu trusty *
Xmlrpc-c Ubuntu utopic *
Xmlrpc-c Ubuntu vivid *
Xmlrpc-c Ubuntu wily *
Xmlrpc-c Ubuntu xenial *
Xmlrpc-c Ubuntu yakkety *
Xmlrpc-c Ubuntu zesty *
Xotcl Ubuntu artful *
Xotcl Ubuntu cosmic *
Xotcl Ubuntu disco *
Xotcl Ubuntu eoan *
Xotcl Ubuntu lucid *
Xotcl Ubuntu maverick *
Xotcl Ubuntu natty *
Xotcl Ubuntu oneiric *
Xotcl Ubuntu precise *
Xotcl Ubuntu quantal *
Xotcl Ubuntu raring *
Xotcl Ubuntu saucy *
Xotcl Ubuntu trusty *
Xotcl Ubuntu utopic *
Xotcl Ubuntu vivid *
Xotcl Ubuntu wily *
Xotcl Ubuntu yakkety *
Xotcl Ubuntu zesty *
Xulrunner Ubuntu hardy *

Extended Description

Limited resources include memory, file system storage, database connection pool entries, and CPU. If an attacker can trigger the allocation of these limited resources, but the number or size of the resources is not controlled, then the attacker could cause a denial of service that consumes all available resources. This would prevent valid users from accessing the product, and it could potentially have an impact on the surrounding environment. For example, a memory exhaustion attack against an application could slow down the application as well as its host operating system. There are at least three distinct scenarios which can commonly lead to resource exhaustion:

Resource exhaustion problems are often result due to an incorrect implementation of the following situations:

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use