Vulnerability CVE-2018-1000872

Vulnerability Name:

CVE-2018-1000872 (CCN-154805)

Assigned:

2018-04-24

Published:

2018-04-24

Updated:

2019-10-03

Summary:

OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: Resource Management Errors (similar issue to CVE-2015-5262) vulnerability in PyKMIP server that can result in DOS: the server can be made unavailable by one or more clients opening all of the available sockets. This attack appear to be exploitable via A client or clients open sockets with the server and then never close them. This vulnerability appears to have been fixed in 0.8.0.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-1000872

Source: XF
Type: UNKNOWN
openkmip-cve20181000872-dos(154805)

Source: CCN
Type: PyKMIP GIT Repository
No socket timeout may lead to denial of service #430

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://github.com/OpenKMIP/PyKMIP/issues/430

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-1000872

Vulnerable Configuration:

Configuration 1:

cpe:/a:pykmip_project:pykmip:*:*:*:*:*:*:*:* (Version < 0.8.0)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20181000872	V	CVE-2018-1000872	2022-05-22
oval:org.opensuse.security:def:60435	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:57140	P	Security update for the Linux Kernel (Important)	2021-12-06
oval:org.opensuse.security:def:58040	P	Security update for samba (Important)	2021-11-19
oval:org.opensuse.security:def:58009	P	Security update for MozillaFirefox (Important)	2021-09-22
oval:org.opensuse.security:def:60339	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:57971	P	Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)	2021-07-21
oval:org.opensuse.security:def:59739	P	Security update for dhcp (Important)	2021-06-01
oval:org.opensuse.security:def:57897	P	Security update for MozillaFirefox (Important)	2021-04-27
oval:org.opensuse.security:def:60223	P	Security update for fwupdate (Important)	2021-04-08
oval:org.opensuse.security:def:56967	P	Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)	2021-04-07
oval:org.opensuse.security:def:59868	P	Security update for nghttp2 (Important)	2021-03-24
oval:org.opensuse.security:def:60475	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:58090	P	Security update for grub2 (Important)	2021-03-02
oval:org.opensuse.security:def:59443	P	Security update for xen (Important)	2020-12-07
oval:org.opensuse.security:def:58114	P	Security update for Cloud7 packages (Moderate)	2020-12-01
oval:org.opensuse.security:def:56589	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:60812	P	Security update for libexif (Moderate)	2020-12-01
oval:org.opensuse.security:def:57697	P	davfs2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59191	P	Security update for sssd (Moderate)	2020-12-01
oval:org.opensuse.security:def:56567	P	Recommended update for NetworkManager-vpnc (Moderate)	2020-12-01
oval:org.opensuse.security:def:60774	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:57412	P	Security update for lzo	2020-12-01
oval:org.opensuse.security:def:59685	P	Security update for libqt5-qtbase (Important)	2020-12-01
oval:org.opensuse.security:def:60672	P	Security update for python-PyKMIP (Moderate)	2020-12-01
oval:org.opensuse.security:def:59035	P	Security update for ghostscript (Important)	2020-12-01
oval:org.opensuse.security:def:56566	P	Security update for transfig (Moderate)	2020-12-01
oval:org.opensuse.security:def:60690	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:57246	P	Security update for libtiff	2020-12-01
oval:org.opensuse.security:def:59432	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60594	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:59013	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:60593	P	Security update for ardana-monasca, ardana-spark, kafka, kafka-kit, openstack-monasca-api (Important)	2020-12-01
oval:org.opensuse.security:def:59924	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:60932	P	Security update for python-PyKMIP (Moderate)	2020-12-01
oval:org.opensuse.security:def:59274	P	Security update for python-ipaddress (Important)	2020-12-01
oval:org.opensuse.security:def:60644	P	Security update for libpcap (Important)	2020-12-01
oval:org.opensuse.security:def:59012	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:60853	P	Security update for python-Django (Moderate)	2020-12-01
oval:org.opensuse.security:def:59252	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:60555	P	tftp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60175	P	Security update for ucode-intel (Moderate)	2020-12-01
oval:org.opensuse.security:def:59624	P	Security update for krb5-appl (Important)	2020-12-01
oval:org.opensuse.security:def:56729	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:60903	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:59251	P	Security update for mutt (Important)	2020-12-01
oval:org.opensuse.security:def:60517	P	python on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:57805	P	libidn-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59986	P	Security update for sqlite3 (Important)	2020-12-01
oval:org.opensuse.security:def:80749	P	Security update for Cloud7 packages (Moderate)	2019-06-07
oval:org.opensuse.security:def:83938	P	Security update for python-PyKMIP (Moderate)	2019-02-14
oval:org.opensuse.security:def:84385	P	Security update for python-PyKMIP (Moderate)	2019-02-14
oval:com.ubuntu.disco:def:201810008720000000	V	CVE-2018-1000872 on Ubuntu 19.04 (disco) - medium.	2018-12-20
oval:com.ubuntu.bionic:def:20181000872000	V	CVE-2018-1000872 on Ubuntu 18.04 LTS (bionic) - medium.	2018-12-20
oval:com.ubuntu.cosmic:def:201810008720000000	V	CVE-2018-1000872 on Ubuntu 18.10 (cosmic) - medium.	2018-12-20
oval:com.ubuntu.cosmic:def:20181000872000	V	CVE-2018-1000872 on Ubuntu 18.10 (cosmic) - medium.	2018-12-20
oval:com.ubuntu.bionic:def:201810008720000000	V	CVE-2018-1000872 on Ubuntu 18.04 LTS (bionic) - medium.	2018-12-20
oval:com.ubuntu.xenial:def:20181000872000	V	CVE-2018-1000872 on Ubuntu 16.04 LTS (xenial) - medium.	2018-12-20
oval:com.ubuntu.xenial:def:201810008720000000	V	CVE-2018-1000872 on Ubuntu 16.04 LTS (xenial) - medium.	2018-12-20

BACK