CVE-2018-1000808 — MEDIUM (5.9)

Q: How severe is CVE-2018-1000808?

CVE-2018-1000808 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000808?

Check the references section above for vendor advisories and patch information. Affected products include: Pyopenssl Project Pyopenssl, Canonical Ubuntu Linux, Redhat Gluster Storage, Redhat Openstack, Redhat Enterprise Linux Desktop.

Vulnerability Description

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Pyopenssl Project	Pyopenssl	< 17.5.0
Canonical	Ubuntu Linux	16.04
Redhat	Gluster Storage	3.0
Redhat	Openstack	13
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-404

References

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html
https://access.redhat.com/errata/RHSA-2019:0085Third Party Advisory
https://github.com/pyca/pyopenssl/pull/723PatchThird Party Advisory
https://usn.ubuntu.com/3813-1/Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html
https://access.redhat.com/errata/RHSA-2019:0085Third Party Advisory
https://github.com/pyca/pyopenssl/pull/723PatchThird Party Advisory
https://usn.ubuntu.com/3813-1/Third Party Advisory

FAQ

What is CVE-2018-1000808?

CVE-2018-1000808 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial...

How severe is CVE-2018-1000808?

CVE-2018-1000808 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000808?

Check the references section above for vendor advisories and patch information. Affected products include: Pyopenssl Project Pyopenssl, Canonical Ubuntu Linux, Redhat Gluster Storage, Redhat Openstack, Redhat Enterprise Linux Desktop.