Vulnerability Name:

CVE-2008-1612 (CCN-41586)

Assigned:2008-03-22
Published:2008-03-22
Updated:2023-02-13
Summary:The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error.
Note: this issue is due to an incorrect fix for CVE-2007-6239.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2008-1612

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: squid-announce Mailing List, 2008-03-22 0:05:24
Advisory Squid-2007:2 updated

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: RHSA-2008-0214
Moderate: squid security update

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: ASA-2008-163
squid security update (RHSA-2008-0214)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: DEBIAN
Type: DSA-1646
squid -- array bounds check

Source: CCN
Type: GLSA-200903-38
Squid: Multiple Denial of Service vulnerabilities

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: Openwall Project Web site
CVE id request: squid

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: BID-28693
Squid Web Proxy Cache 'arrayShrink()' Remote Denial of Service Vulnerability

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: Squid Web site
squid : Optimising Web Delivery

Source: CCN
Type: SQUID-2007:2
Squid Proxy Cache Security Update Advisory

Source: secalert@redhat.com
Type: Patch
secalert@redhat.com

Source: CCN
Type: squid-cache Changelog, SQUID_2_6, 2008/01/09 13:02:07
Sometimes arrayShrink() will be asked to shrink by 0 entries. Handle that.

Source: secalert@redhat.com
Type: Exploit
secalert@redhat.com

Source: CCN
Type: TLSA-2008-15
Squid denial of service attack

Source: CCN
Type: USN-601-1
Squid vulnerability

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: XF
Type: UNKNOWN
squid-arrayshrink-dos(41586)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: SUSE
Type: SUSE-SR:2008:011
SUSE Security Summary Report

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:squid-cache:squid:2.6.stable17:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable1:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable2:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable3:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable4:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable5:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable6:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable10:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable11:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable7:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable8:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable9:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable12:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable13:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable14:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable15:*:*:*:*:*:*:*
  • OR cpe:/a:squid-cache:squid:2.6.stable16:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*
  • OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*
  • OR cpe:/o:canonical:ubuntu:7.10:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:as:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:4.6.z:ga:es:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20081612
    V
    		CVE-2008-1612
    2015-11-16
    oval:org.mitre.oval:def:17664
    P
    		USN-601-1 -- squid vulnerability
    2014-06-30
    oval:org.mitre.oval:def:18736
    P
    		DSA-1646-2 squid - array bounds check
    2014-06-23
    oval:org.mitre.oval:def:7232
    P
    		DSA-1646 squid -- array bounds check
    2014-06-23
    oval:org.mitre.oval:def:22702
    P
    		ELSA-2008:0214: squid security update (Moderate)
    2014-05-26
    oval:org.mitre.oval:def:11376
    V
    		The arrayShrink function (lib/Array.c) in Squid 2.6.STABLE17 allows attackers to cause a denial of service (process exit) via unknown vectors that cause an array to shrink to 0 entries, which triggers an assert error. NOTE: this issue is due to an incorrect fix for CVE-2007-6239.
    2013-04-29
    oval:org.debian:def:1646
    V
    		array bounds check
    2008-10-07
    oval:com.redhat.rhsa:def:20080214
    P
    		RHSA-2008:0214: squid security update (Moderate)
    2008-04-08
    BACK
    squid-cache squid 2.6.stable17
    squid-cache squid 2.6.stable1
    squid-cache squid 2.6.stable2
    squid-cache squid 2.6.stable3
    squid-cache squid 2.6.stable4
    squid-cache squid 2.6.stable5
    squid-cache squid 2.6.stable6
    squid-cache squid 2.6.stable10
    squid-cache squid 2.6.stable11
    squid-cache squid 2.6.stable7
    squid-cache squid 2.6.stable8
    squid-cache squid 2.6.stable9
    squid-cache squid 2.6.stable12
    squid-cache squid 2.6.stable13
    squid-cache squid 2.6.stable14
    squid-cache squid 2.6.stable15
    squid-cache squid 2.6.stable16
    gentoo linux *
    redhat enterprise linux 2.1
    redhat enterprise linux 2.1
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    redhat enterprise linux 3
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    redhat enterprise linux 4
    mandrakesoft mandrake multi network firewall 2.0
    redhat linux advanced workstation 2.1
    canonical ubuntu 6.06
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 4.0
    mandrakesoft mandrake linux corporate server 3.0
    redhat enterprise linux 5
    redhat enterprise linux 5
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    debian debian linux 4.0
    canonical ubuntu 7.04
    canonical ubuntu 7.10
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2007.1
    redhat enterprise linux 4.6.z ga
    redhat enterprise linux 4.6.z ga