Vulnerability CVE-2017-14054

Vulnerability Name:

CVE-2017-14054 (CCN-131294)

Assigned:

2017-08-25

Published:

2017-08-25

Updated:

2019-10-03

Summary:

In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due to lack of an EOF (End of File) check might cause huge CPU consumption. When a crafted IVR file, which claims a large "len" field in the header but does not contain sufficient backing data, is provided, the first type==4 loop would consume huge CPU resources, since there is no EOF check inside the loop.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-834

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-14054

Source: DEBIAN
Type: UNKNOWN
DSA-3996

Source: BID
Type: UNKNOWN
100627

Source: CCN
Type: BID-100627
FFmpeg 'libavformat/rmdec.c' Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
ffmpeg-cve201714054-dos(131294)

Source: CCN
Type: FFmpeg GIT Repository
avformat/rmdec: Fix DoS due to lack of eof check

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-14054

Vulnerable Configuration:

Configuration 1:

cpe:/a:ffmpeg:ffmpeg:3.3.3:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ffmpeg:ffmpeg:3.3.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201714054	V	CVE-2017-14054	2023-06-22
oval:org.opensuse.security:def:7921	P	libavcodec57-3.4.2-150200.11.28.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:652	P	Security update for qemu (Moderate) (in QA)	2022-10-06
oval:org.opensuse.security:def:765	P	Security update for libtirpc (Important)	2022-09-19
oval:org.opensuse.security:def:667	P	Security update for postgresql-jdbc (Moderate)	2022-08-03
oval:org.opensuse.security:def:94265	P	(Important)	2022-07-22
oval:org.opensuse.security:def:94043	P	(Important)	2022-07-06
oval:org.opensuse.security:def:3570	P	libXvnc1-1.6.0-22.7.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3571	P	libXxf86dga1-1.1.4-3.58 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3302	P	minicom-2.7-3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3303	P	mipv6d-2.0.2.umip.0.4-19.63 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95200	P	libavcodec-devel-3.4.2-11.17.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95201	P	libavformat58_76-4.4-150400.1.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94932	P	libavcodec57-3.4.2-11.17.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94933	P	libavcodec58_134-4.4-150400.1.13 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1752	P	Security update for the Linux Kernel (Important)	2022-06-14
oval:org.opensuse.security:def:1344	P	Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP3) (Important)	2022-05-10
oval:org.opensuse.security:def:1157	P	Security update for the Linux Kernel (Important)	2022-04-13
oval:org.opensuse.security:def:1457	P	Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP3) (Important)	2022-03-29
oval:org.opensuse.security:def:100756	P	(Important)	2022-03-04
oval:org.opensuse.security:def:1687	P	Security update for wireshark (Moderate)	2022-02-14
oval:org.opensuse.security:def:112221	P	ffmpeg-4-4.4-5.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:1793	P	Security update for gegl (Important)	2021-12-31
oval:org.opensuse.security:def:69974	P	Security update for xorg-x11-server (Important)	2021-12-20
oval:org.opensuse.security:def:1713	P	Security update for nodejs14 (Important)	2021-12-07
oval:org.opensuse.security:def:70309	P	Security update for Salt (Moderate)	2021-10-27
oval:org.opensuse.security:def:64785	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:67799	P	Security update for the Linux Kernel (Live Patch 23 for SLE 15) (Important)	2021-10-13
oval:org.opensuse.security:def:105751	P	ffmpeg-4-4.4-5.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:71252	P	libdcerpc-binding0-32bit-4.9.5+git.149.9593f64a5c3-1.12 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71139	P	apparmor-abstractions-2.12.2-7.17.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71372	P	python-2.7.14-7.11.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:1216	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:1572	P	Security update for aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 (Moderate)	2021-08-23
oval:org.opensuse.security:def:47693	P	libarchive13-3.1.2-25.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47174	P	vsftpd-3.0.2-31.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48172	P	libpng12-0-1.2.50-19.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47987	P	cyrus-sasl-2.1.26-8.7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48100	P	libcares2-1.9.1-9.4.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47814	P	libxml2-2-2.9.4-46.15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47188	P	xorg-x11-server-7.6_1.18.3-57.34 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48234	P	libzypp-16.20.0-2.39.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47286	P	hardlink-1.0-6.38 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48201	P	libssh4-0.8.7-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48192	P	libsndfile1-1.0.25-36.16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48007	P	flatpak-1.4.2-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47309	P	libQt5WebKit5-5.6.2-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48299	P	rtkit-0.11_git201205151338-8.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47287	P	hplip-3.16.11-1.33 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48285	P	python-numpy-1.8.0-5.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48340	P	xalan-j2-2.7.0-264.133 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48139	P	libksba8-1.3.0-23.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47502	P	squashfs-4.3-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48330	P	unixODBC-2.3.6-7.9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47301	P	krb5-1.12.5-39.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48347	P	xorg-x11-7.6_1-14.17 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47639	P	gv-3.7.4-1.36 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48231	P	libykcs11-1-1.5.0-3.16 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47634	P	gstreamer-plugins-base-1.8.3-12.11 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47422	P	libudisks2-0-2.1.3-1.13 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47640	P	gvim-7.4.326-16.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47726	P	libjavascriptcoregtk-4_0-18-2.20.3-2.23.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47615	P	gdk-pixbuf-lang-2.34.0-19.17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47654	P	kbd-2.0.4-8.10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47678	P	libXi6-1.7.4-17.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47874	P	radvd-1.9.7-2.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47747	P	libncurses5-32bit-5.9-58.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47775	P	libqt4-32bit-4.8.7-8.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47679	P	libXinerama1-1.1.3-3.54 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47173	P	vorbis-tools-1.4.0-26.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48088	P	libXvMC1-1.0.8-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47839	P	p7zip-9.20.1-7.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47968	P	bzip2-1.0.6-30.8.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:1118	P	Security update for rpm (Important)	2021-08-12
oval:org.opensuse.security:def:63421	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:100978	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63469	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2332	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2380	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:107644	P	ffmpeg-3.4.2-9.2 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:1101	P	libopus-devel-1.3.1-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101040	P	perl-DBD-mysql-4.046-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:988	P	g3utils-1.1.37-3.8.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72495	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101182	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62776	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64552	P	Security update for webkit2gtk3 (Important)	2021-08-03
oval:org.opensuse.security:def:68032	P	Security update for the Linux Kernel (Live Patch 22 for SLE 15 SP1) (Important)	2021-07-29
oval:org.opensuse.security:def:66861	P	Security update for the Linux Kernel (Important)	2021-07-14
oval:org.opensuse.security:def:48739	P	libpcsclite1-32bit-1.8.10-3.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48867	P	libproxy1-networkmanager-32bit-0.4.13-16.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48804	P	libtag1-32bit-1.9.1-1.265 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:2455	P	libavcodec-devel-3.4.2-2.35 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48835	P	gegl-0_2-0.2.0-14.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:73644	P	Security update for libX11 (Important)	2021-06-08
oval:org.opensuse.security:def:48906	P	gnome-online-accounts-3.20.5-9.6 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48554	P	libssh2-1-1.4.3-19.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48401	P	dbus-1-glib-0.100.2-3.58 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48412	P	eog-3.20.4-7.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48638	P	unixODBC-2.3.4-6.5 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48379	P	binutils-2.26.1-9.12.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48443	P	hardlink-1.0-6.38 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48700	P	libzmq3-4.0.4-2.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48593	P	pcsc-ccid-1.4.14-1.42 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63544	P	libavcodec-devel-3.4.2-2.35 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48514	P	libksba8-1.3.0-23.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48765	P	bogofilter-1.2.4-5.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48677	P	java-1_7_0-openjdk-plugin-1.5.1-1.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48796	P	libpcsclite1-32bit-1.8.10-3.7 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64698	P	Security update for gstreamer, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly (Important)	2021-06-01
oval:org.opensuse.security:def:70204	P	Security update for pcp (Moderate)	2021-04-21
oval:org.opensuse.security:def:64465	P	Security update for tpm2-tss-engine (Moderate)	2021-04-08
oval:org.opensuse.security:def:66723	P	Security update for clamav-database (Important)	2021-04-06
oval:org.opensuse.security:def:66953	P	Security update for the Linux Kernel (Important)	2021-02-09
oval:org.opensuse.security:def:103551	P	libavcodec57-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63583	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62433	P	libavcodec57-3.4.2-2.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107706	P	libavcodec-devel-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72265	P	libavcodec57-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:103767	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63624	P	libavcodec-devel-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62546	P	libavcodec57-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2494	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72380	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107422	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:89896	P	libavcodec57-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62661	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71485	P	g3utils-1.1.37-3.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2535	P	libavcodec-devel-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116980	P	libavcodec57-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:94327	P	libavcodec-devel-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:90112	P	libavcodec-devel-3.4.2-4.12.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:72152	P	libavcodec57-3.4.2-2.35 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:117221	P	libavcodec-devel-3.4.2-9.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49603	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49657	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73296	P	python3-SQLAlchemy on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50100	P	spice-gtk-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67899	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50154	P	libavcodec-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49375	P	docker-libnetwork on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73526	P	perl-PerlMagick on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49429	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50139	P	bluez-cups on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:68132	P	libavcodec-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50193	P	libavcodec-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66631	P	subversion on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49488	P	rtkit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49542	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50180	P	colord on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:70079	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50234	P	libavcodec-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73414	P	libavcodec57 on GA media (Moderate)	2020-12-01
oval:com.ubuntu.artful:def:201714054000	V	CVE-2017-14054 on Ubuntu 17.10 (artful) - medium.	2017-08-31
oval:com.ubuntu.bionic:def:2017140540000000	V	CVE-2017-14054 on Ubuntu 18.04 LTS (bionic) - medium.	2017-08-31
oval:com.ubuntu.bionic:def:201714054000	V	CVE-2017-14054 on Ubuntu 18.04 LTS (bionic) - medium.	2017-08-31
oval:com.ubuntu.xenial:def:2017140540000000	V	CVE-2017-14054 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-31
oval:com.ubuntu.xenial:def:201714054000	V	CVE-2017-14054 on Ubuntu 16.04 LTS (xenial) - medium.	2017-08-31

BACK