Vulnerability CVE-2018-8022

Vulnerability Name:

CVE-2018-8022 (CCN-149089)

Assigned:

2018-08-28

Published:

2018-08-28

Updated:

2018-10-17

Summary:

A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-8022

Source: CCN
Type: oss-sec Mailing List, Tue, 28 Aug 2018 15:39:46 -0700
[ANNOUNCE] Apache Traffic Server vulnerability with an invalid TLS handshake - CVE-2018-8022

Source: CCN
Type: Apache Web site
Traffic Server

Source: BID
Type: Third Party Advisory, VDB Entry
105183

Source: CCN
Type: BID-105183
Apache Traffic Server CVE-2018-8022 Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
apache-traffic-cve20188022-dos(149089)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/apache/trafficserver/pull/2147

Source: MLIST
Type: Vendor Advisory
[trafficserver-users] 20180828 [ANNOUNCE] Apache Traffic Server vulnerability with an invalid TLS handshake - CVE-2018-8022

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-8022

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:traffic_server:*:*:*:*:*:*:*:* (Version >= 6.0.0 and <= 6.2.2)

Configuration CCN 1:

cpe:/a:apache:traffic_server:6.2.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:20188022000	V	CVE-2018-8022 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-29
oval:com.ubuntu.cosmic:def:201880220000000	V	CVE-2018-8022 on Ubuntu 18.10 (cosmic) - medium.	2018-08-29
oval:com.ubuntu.cosmic:def:20188022000	V	CVE-2018-8022 on Ubuntu 18.10 (cosmic) - medium.	2018-08-29
oval:com.ubuntu.bionic:def:201880220000000	V	CVE-2018-8022 on Ubuntu 18.04 LTS (bionic) - medium.	2018-08-29
oval:com.ubuntu.trusty:def:20188022000	V	CVE-2018-8022 on Ubuntu 14.04 LTS (trusty) - medium.	2018-08-29
oval:com.ubuntu.xenial:def:201880220000000	V	CVE-2018-8022 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-29
oval:com.ubuntu.xenial:def:20188022000	V	CVE-2018-8022 on Ubuntu 16.04 LTS (xenial) - medium.	2018-08-29

BACK