CVE-2018-0739
Public on 2018-03-27
Modified on 2018-12-07
Description
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | mysql56 | 2018-08-22 | ALAS-2018-1069 | Fixed |
| Amazon Linux 1 | mysql57 | 2018-08-22 | ALAS-2018-1070 | Fixed |
| Amazon Linux 1 | openssl | 2018-08-22 | ALAS-2018-1065 | Fixed |
| Amazon Linux 1 | openssl | 2018-12-05 | ALAS-2018-1102 | Fixed |
| Amazon Linux 2 - Core | openssl | 2018-11-07 | ALAS2-2018-1102 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
| NVD | CVSSv2 | 4.3 | AV:N/AC:M/Au:N/C:N/I:N/A:P |
| NVD | CVSSv3 | 6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |