Adobe Unknown

Notified:  November 01, 2011 Updated: November 01, 2011

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apache Tomcat Affected

Updated:  December 28, 2011

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the n.runs AG advisory: "Tomcat has released updates (7.0.23, 6.0.35) for this issue which limit the number of request parameters using a configuration parameter. The default value of 10.000 should provide sufficient protection."

Vendor References

IBM Corporation Unknown

Notified:  November 01, 2011 Updated: November 01, 2011

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Affected

Notified:  November 01, 2011 Updated: December 29, 2011

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft has released an update to the .NET Framework with Microsoft Security Bulletin MS11-100, which addresses this issue.

Vendor References

Oracle Corporation Affected

Notified:  November 01, 2011 Updated: February 15, 2016

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

New information regarding this vulnerability in Java 8 was provided in Februrary 2016, which was sent to Oracle for review.

Ruby Affected

Notified:  November 01, 2011 Updated: December 28, 2011

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the n.runs AG advisory: "CRuby and JRuby provide updates for this issue with a randomized hash function (CRuby 1.8.7-p357, JRuby 1.6.5.1, CVE-2011-4815)."

Vendor References

The PHP Group Affected

Updated:  December 28, 2011

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the n.runs AG advisory: "PHP 5 uses the DJBX33A (Dan Bernstein's times 33, addition) hash function and parses POST form data into the $_POST hash table. Because of the structure of the hash function, it is vulnerable to an equivalent substring attack." From the Workarounds section: "The easiest way to reduce the impact of such an attack is to reduce the CPU time that a request is allowed to take. For PHP, this can be configured using the max_input_time parameter." PHP 5.4.0 RC4 has been released which adds a max_input_vars directive to help mitigate hash collision attacks. Please note that this is a release candidate, not a stable release.

Vendor References