US-CERT is aware of reports stating that multiple programming language implementations, including web platforms, are vulnerable to hash table collision attacks. This vulnerability could be used by an attacker to launch a denial-of-service attack against websites using affected products.
The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes:
We have been releasing annual ruby versions for over a decade in
this season. This is one for this year. We have fixed several
bugs today. One of them is to fix CVE-2011-4815 (a more detailed
situation about the issue is to follow this mail). So everyone
who uses 1.8.7 should consider upgrading.
For details, please read the ChangeLog as usual.
Microsoft has released an update for the .NET Framework to address this vulnerability and three others. Additional information can be found in Microsoft Security Bulletin MS11-100 and Microsoft Security Advisory 2659883:
Microsoft has completed the investigation into a public report of this vulnerability. We have issued MS11-100 to address this issue. For more information about this issue, including download links for an available security update, please review MS11-100. The vulnerability addressed is the Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414.
Many applications, including common web framework implementations, use hash tables to map key values to associated entries. If the hash table contains entries for different keys that map to the same hash value, a hash collision occurs and additional processing is required to determine which entry is appropriate for the key. If an attacker can generate many requests containing colliding key values, an application performing the hash table lookup may enter a denial of service condition. Hash collision denial-of-service attacks were first detailed in 2003, but recent research details how these attacks apply to modern language hash table implementations.
US-CERT will provide additional information as it becomes available.