6.5

CVE-2018-0739

Constructed ASN.1 types with a recursive definition could exceed the stack

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version >= 1.0.2b <= 1.0.2n
OpenSSLOpenSSL Version >= 1.1.0 <= 1.1.0g
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version17.10
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 19.3% 0.97
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:N/A:P
CWE-674 Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch
Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://access.redhat.com/errata/RHSA-2018:3505
https://security.netapp.com/advisory/ntap-20180726-0002/
https://access.redhat.com/errata/RHSA-2018:3221
https://usn.ubuntu.com/3611-2/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4157
Third Party Advisory
https://www.openssl.org/news/secadv/20180327.txt
Vendor Advisory
https://www.tenable.com/security/tns-2018-04
https://www.tenable.com/security/tns-2018-06
https://www.tenable.com/security/tns-2018-07
https://access.redhat.com/errata/RHSA-2019:0366
https://access.redhat.com/errata/RHSA-2019:0367
http://www.securitytracker.com/id/1040576
Third Party Advisory
VDB Entry
https://security.gentoo.org/glsa/201811-21
https://security.netapp.com/advisory/ntap-20180330-0002/
Third Party Advisory
http://www.securityfocus.com/bid/103518
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/105609
https://access.redhat.com/errata/RHSA-2018:3090
https://access.redhat.com/errata/RHSA-2019:1711
https://access.redhat.com/errata/RHSA-2019:1712
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9310d45087ae546e27e61ddf8f6367f29848220d
https://lists.debian.org/debian-lts-announce/2018/03/msg00033.html
Third Party Advisory
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
https://security.gentoo.org/glsa/202007-53
https://securityadvisories.paloaltonetworks.com/Home/Detail/133
https://usn.ubuntu.com/3611-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4158
Third Party Advisory