Vulnerability CVE-2019-7314

Vulnerability Name:

CVE-2019-7314 (CCN-156550)

Assigned:

2019-01-31

Published:

2019-01-31

Updated:

2020-07-07

Summary:

liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-416

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2019-7314

Source: CCN
Type: live555 Web site
[Live-devel] New LIVE555 version - fixes a potential security vulnerability in the RTSP server implementation

Source: MISC
Type: Mailing List, Vendor Advisory
http://lists.live555.com/pipermail/live-devel/2019-February/021143.html

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2019:1797

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2019:1880

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2020:0944

Source: MISC
Type: Vendor Advisory
http://www.live555.com/liveMedia/public/changelog.txt

Source: XF
Type: UNKNOWN
live555-cve20197314-dos(156550)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20190226 [SECURITY] [DLA 1690-1] liblivemedia security update

Source: BUGTRAQ
Type: UNKNOWN
20190317 [SECURITY] [DSA 4408-1] liblivemedia security update

Source: GENTOO
Type: UNKNOWN
GLSA-202005-06

Source: DEBIAN
Type: UNKNOWN
DSA-4408

Vulnerable Configuration:

Configuration 1:

cpe:/a:live555:streaming_media:*:*:*:*:*:*:*:* (Version < 0.95)

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20197314	V	CVE-2019-7314	2022-06-30
oval:org.opensuse.security:def:112547	P	libBasicUsageEnvironment1-2021.08.23-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:93435	P	(Important)	2021-12-06
oval:org.opensuse.security:def:64595	P	Security update for python (Moderate)	2021-10-20
oval:org.opensuse.security:def:106036	P	Security update for curl (Moderate)	2021-10-06
oval:org.opensuse.security:def:63367	P	python3-virt-bootstrap-1.0.0-5.3.124 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62387	P	podman-2.1.1-4.28.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62364	P	zoo-2.10-1.29 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62363	P	yubikey-manager-2.1.0-1.10 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63045	P	velocity-1.7-3.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64736	P	Security update for wireshark (Moderate)	2021-07-22
oval:org.opensuse.security:def:64737	P	Security update for bluez (Moderate)	2021-07-22
oval:org.opensuse.security:def:74298	P	Security update for caribou (Important)	2021-07-20
oval:org.opensuse.security:def:64731	P	Security update for the Linux Kernel (Important)	2021-07-15
oval:org.opensuse.security:def:62843	P	binutils-devel-32bit-2.29.1-4.46 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63153	P	gtk-vnc-devel-0.7.2-1.33 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63183	P	socat-1.7.3.2-4.10 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63189	P	vsftpd-3.0.3-5.7 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:62564	P	libmms-devel-0.6.4-1.24 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63161	P	libopenvswitch-2_8-0-2.8.2-4.16 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63409	P	nodejs12-12.18.0-2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63148	P	dovecot23-2.3.1-2.20 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:63876	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:65134	P	Security update for podman (Moderate)	2020-12-01
oval:org.opensuse.security:def:63976	P	Security update for permissions (Moderate)	2020-12-01
oval:org.opensuse.security:def:64262	P	glib2-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:75216	P	Security update for live555 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64120	P	Security update for xrdp (Important)	2020-12-01
oval:org.opensuse.security:def:74172	P	Security update for nodejs12 (Important)	2020-12-01
oval:org.opensuse.security:def:64844	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:63736	P	Security update for tomcat (Moderate)	2020-12-01
oval:org.opensuse.security:def:63670	P	Security update for hostinfo, supportutils (Important)	2020-12-01
oval:org.opensuse.security:def:65012	P	Security update for postgresql12 (Important)	2020-12-01
oval:org.opensuse.security:def:64031	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:75079	P	Security update for libqt4 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64078	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:64232	P	cron on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64946	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:63870	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:110953	P	Security update for live555 (Moderate)	2020-07-07
oval:org.opensuse.security:def:100148	P	Security update for live555 (Moderate)	2019-08-14
oval:org.opensuse.security:def:109922	P	Security update for live555 (Moderate)	2019-07-23
oval:com.ubuntu.disco:def:201973140000000	V	CVE-2019-7314 on Ubuntu 19.04 (disco) - medium.	2019-02-04
oval:com.ubuntu.bionic:def:201973140000000	V	CVE-2019-7314 on Ubuntu 18.04 LTS (bionic) - medium.	2019-02-04
oval:com.ubuntu.xenial:def:201973140000000	V	CVE-2019-7314 on Ubuntu 16.04 LTS (xenial) - medium.	2019-02-04
oval:com.ubuntu.bionic:def:20197314000	V	CVE-2019-7314 on Ubuntu 18.04 LTS (bionic) - medium.	2019-02-03
oval:com.ubuntu.cosmic:def:201973140000000	V	CVE-2019-7314 on Ubuntu 18.10 (cosmic) - medium.	2019-02-03
oval:com.ubuntu.cosmic:def:20197314000	V	CVE-2019-7314 on Ubuntu 18.10 (cosmic) - medium.	2019-02-03
oval:com.ubuntu.trusty:def:20197314000	V	CVE-2019-7314 on Ubuntu 14.04 LTS (trusty) - medium.	2019-02-03
oval:com.ubuntu.xenial:def:20197314000	V	CVE-2019-7314 on Ubuntu 16.04 LTS (xenial) - medium.	2019-02-03

BACK