Vulnerability CVE-2017-7671

Vulnerability Name:

CVE-2017-7671 (CCN-139608)

Assigned:

2017-04-11

Published:

2018-02-27

Updated:

2018-03-23

Summary:

There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2.0 to 5.3.2, 6.0.0 to 6.2.0, and 7.0.0 with the TLS handshake. This issue can cause the server to coredump.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-7671

Source: CCN
Type: oss-sec Mailing List, Tue, 27 Feb 2018 10:31:15 -0800
Apache Traffic Server vulnerability with TLS handshake - CVE-2017-7671

Source: CCN
Type: Apache Web site
Traffic Server

Source: XF
Type: UNKNOWN
apache-traffic-cve20177671-dos(139608)

Source: MLIST
Type: Vendor Advisory
[dev] 20180227 [ANNOUNCE] Apache Traffic Server vulnerability with TLS handshake - CVE-2017-7671

Source: DEBIAN
Type: Third Party Advisory
DSA-4128

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-7671

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:traffic_server:*:*:*:*:*:*:*:* (Version >= 5.2.0 and <= 5.3.2)

OR cpe:/a:apache:traffic_server:*:*:*:*:*:*:*:* (Version > 6.0.0 and <= 6.2.0)

OR cpe:/a:apache:traffic_server:7.0.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:traffic_server:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:traffic_server:6.2.0:*:*:*:*:*:*:*

OR cpe:/a:apache:traffic_server:5.3.0:*:*:*:*:*:*:*

OR cpe:/a:apache:traffic_server:7.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:traffic_server:5.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.xenial:def:201776710000000	V	CVE-2017-7671 on Ubuntu 16.04 LTS (xenial) - medium.	2018-02-27
oval:com.ubuntu.artful:def:20177671000	V	CVE-2017-7671 on Ubuntu 17.10 (artful) - untriaged.	2018-02-27
oval:com.ubuntu.xenial:def:20177671000	V	CVE-2017-7671 on Ubuntu 16.04 LTS (xenial) - untriaged.	2018-02-27
oval:com.ubuntu.disco:def:201776710000000	V	CVE-2017-7671 on Ubuntu 19.04 (disco) - medium.	2018-02-27
oval:com.ubuntu.bionic:def:20177671000	V	CVE-2017-7671 on Ubuntu 18.04 LTS (bionic) - untriaged.	2018-02-27
oval:com.ubuntu.cosmic:def:201776710000000	V	CVE-2017-7671 on Ubuntu 18.10 (cosmic) - medium.	2018-02-27
oval:com.ubuntu.cosmic:def:20177671000	V	CVE-2017-7671 on Ubuntu 18.10 (cosmic) - untriaged.	2018-02-27
oval:com.ubuntu.bionic:def:201776710000000	V	CVE-2017-7671 on Ubuntu 18.04 LTS (bionic) - medium.	2018-02-27
oval:com.ubuntu.trusty:def:20177671000	V	CVE-2017-7671 on Ubuntu 14.04 LTS (trusty) - untriaged.	2018-02-27

BACK