Vulnerability CVE-2017-7522

Vulnerability Name:

CVE-2017-7522 (CCN-127635)

Assigned:

2017-06-22

Published:

2017-06-22

Updated:

2017-07-07

Summary:

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-476

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: OpenVPN Web site
VulnerabilitiesFixedInOpenVPN243 OpenVPN Community

Source: MITRE
Type: CNA
CVE-2017-7522

Source: CCN
Type: SECTRACK ID: 1038768
OpenVPN Multiple Flaws Let Remote Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code

Source: BID
Type: Third Party Advisory, VDB Entry
99230

Source: CCN
Type: BID-99230
OpenVPN Multiple Security Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1038768

Source: CONFIRM
Type: Vendor Advisory
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

Source: XF
Type: UNKNOWN
openvpn-cve20177522-dos(127635)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-7522

Vulnerable Configuration:

Configuration 1:

cpe:/a:openvpn:openvpn:*:*:*:*:*:*:*:* (Version <= 2.3.16)

OR cpe:/a:openvpn:openvpn:2.4.0:-:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.0:alpha2:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.0:beta1:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.0:beta2:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.0:rc1:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.0:rc2:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:openvpn:openvpn:2.4.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20177522	V	CVE-2017-7522	2023-06-22
oval:org.opensuse.security:def:7727	P	openvpn-2.5.6-150400.3.6.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3133	P	libXRes1-1.0.7-3.53 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94763	P	openvpn-2.5.5-150400.1.5 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:1181	P	Security update for the Linux Kernel (Important)	2022-06-14
oval:org.opensuse.security:def:252	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:232	P	libyaml-0-2-0.1.7-1.17 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:523	P	Security update for u-boot (Important)	2022-06-13
oval:org.opensuse.security:def:843	P	Security update for the Linux Kernel (Important)	2022-03-30
oval:org.opensuse.security:def:113069	P	openvpn-2.5.3-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:69935	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:106507	P	openvpn-2.5.3-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96732	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:103422	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:89767	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:71353	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:61612	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:47745	P	libmusicbrainz4-2.1.5-27.79 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47082	P	libsystemd0-228-117.12 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47044	P	libltdl7-2.4.2-14.30 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47981	P	ctags-5.8-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48043	P	hyper-v-7-7.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47306	P	libIlmImf-Imf_2_1-21-2.1.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47059	P	libpcsclite1-1.8.10-3.4 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48170	P	libpcsclite1-1.8.10-7.6.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47668	P	libQt5WebKit5-5.6.2-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47373	P	liblzo2-2-2.08-1.13 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48272	P	pigz-2.3-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47814	P	libxml2-2-2.9.4-46.15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47597	P	dpdk-17.11.4-3.6 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46889	P	apache-commons-httpclient-3.1-4.364 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47910	P	unrar-5.0.14-3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47959	P	automake-1.13.4-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47214	P	bash-4.3-82.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47045	P	liblua5_2-32bit-5.2.2-4.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48105	P	libdmx1-1.1.3-3.51 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47454	P	openvswitch-2.7.0-2.29 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47180	P	xdg-utils-20140630-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48201	P	libssh4-0.8.7-1.31 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47752	P	libopenjp2-7-2.1.0-4.9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47505	P	strongswan-5.1.3-25.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47879	P	rsync-3.1.0-13.13.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:72011	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62270	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101028	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:67770	P	Security update for the Linux Kernel (Live Patch 19 for SLE 15) (Important)	2021-06-18
oval:org.opensuse.security:def:48673	P	gd-32bit-2.1.0-3.12 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48964	P	rhythmbox-3.4-6.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46754	P	libpango-1_0-0-1.36.3-4.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71062	P	openvpn-2.4.3-3.39 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71123	P	xen-libs-4.10.1_04-1.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48619	P	rtkit-0.11_git201205151338-8.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:61321	P	openvpn-2.4.3-3.39 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:71010	P	libpng16-16-1.6.34-1.19 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46753	P	libopenssl1_0_0-1.0.1i-34.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48910	P	gstreamer-0_10-plugins-good-0.10.31-16.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46768	P	libruby2_1-2_1-2.1.2-9.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:100612	P	(Moderate)	2021-05-27
oval:org.opensuse.security:def:69830	P	Security update for qemu (Important)	2021-04-16
oval:org.opensuse.security:def:66487	P	Security update for gimp (Moderate)	2021-01-04
oval:org.opensuse.security:def:61932	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:107278	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:116836	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:93899	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:71673	P	openvpn-2.4.3-5.3.19 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49230	P	libserf-1-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:66579	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64336	P	libjasper4 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49284	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73270	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64423	P	openvpn on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:67670	P	libdmx-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:73152	P	libevent-2_1-8 on GA media (Moderate)	2020-12-01
oval:com.ubuntu.trusty:def:20177522000	V	CVE-2017-7522 on Ubuntu 14.04 LTS (trusty) - medium.	2017-06-27
oval:com.ubuntu.xenial:def:20177522000	V	CVE-2017-7522 on Ubuntu 16.04 LTS (xenial) - medium.	2017-06-27
oval:com.ubuntu.xenial:def:201775220000000	V	CVE-2017-7522 on Ubuntu 16.04 LTS (xenial) - medium.	2017-06-27

BACK