CVE-2018-14622 — HIGH (7.5)

Q: How severe is CVE-2018-14622?

CVE-2018-14622 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-14622?

Check the references section above for vendor advisories and patch information. Affected products include: Libtirpc Project Libtirpc, Canonical Ubuntu Linux, Debian Debian Linux, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop.

Vulnerability Description

A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server exhausted the maximum number of available file descriptors. A remote attacker could cause an rpc-based application to crash by flooding it with new connections.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Libtirpc Project	Libtirpc	< 0.3.3
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	8.0
Redhat	Enterprise Linux	7.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server Aus	7.4
Redhat	Enterprise Linux Server Eus	7.4
Redhat	Enterprise Linux Workstation	7.0

Related Weaknesses (CWE)

CWE-252

References

http://git.linux-nfs.org/?p=steved/libtirpc.git%3Ba=commit%3Bh=1c77f7a869bdea2a3
https://access.redhat.com/errata/RHBA-2017:1991Third Party Advisory
https://bugzilla.novell.com/show_bug.cgi?id=968175Issue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14622Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00034.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3759-1/Third Party Advisory
https://usn.ubuntu.com/3759-2/Third Party Advisory
http://git.linux-nfs.org/?p=steved/libtirpc.git%3Ba=commit%3Bh=1c77f7a869bdea2a3
https://access.redhat.com/errata/RHBA-2017:1991Third Party Advisory
https://bugzilla.novell.com/show_bug.cgi?id=968175Issue TrackingThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14622Issue TrackingThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00034.htmlMailing ListThird Party Advisory
https://usn.ubuntu.com/3759-1/Third Party Advisory
https://usn.ubuntu.com/3759-2/Third Party Advisory

FAQ

What is CVE-2018-14622?

CVE-2018-14622 is a vulnerability with a CVSS score of 7.5 (HIGH). A null-pointer dereference vulnerability was found in libtirpc before version 0.3.3-rc3. The return value of makefd_xprt() was not checked in all instances, which could lead to a crash when the server...

How severe is CVE-2018-14622?

CVE-2018-14622 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-14622?

Check the references section above for vendor advisories and patch information. Affected products include: Libtirpc Project Libtirpc, Canonical Ubuntu Linux, Debian Debian Linux, Redhat Enterprise Linux, Redhat Enterprise Linux Desktop.